Hello, we have a DNS resolver running the latest 9.7 bind version, and
there is a problem with several zones from these authoritative servers
(frantovo.cz is just and example, the problem prevails in all signed
zones from these authoritative servers):
frantovo.cz. 3111 IN NS ns.forpsi.net.
frantovo.cz. 3111 IN NS ns.forpsi.cz.
frantovo.cz. 3111 IN NS ns.forpsi.it.
Our resolver logis this:
31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
frantovo.cz NS: starting
31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
frantovo.cz NS: attempting insecurity proof
31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
frantovo.cz NS: checking existence of DS at 'cz'
31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
frantovo.cz NS: checking existence of DS at 'frantovo.cz'
31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
frantovo.cz NS: insecurity proof failed
31-Jan-2011 11:45:30.837 dnssec: info: validating @0xd69c000:
frantovo.cz NS: got insecure response; parent indicates it should be secure
The problem arises from the fact that all these servers fail to respond
to queries on DS record for their zones:
# dig @ns.forpsi.cz frantovo.cz ds
; <<>> DiG 9.7.2-P2 <<>> @ns.forpsi.cz frantovo.cz ds
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Which is strange, because according to RFCs, the DS record for a given
zone is required only in the parent zone, not the child zone itself.
Does BIND query for the existence of a DS record in the child zone, and
if so, why? Or is the cause of the problem different?
Any advice would be welcome, thanks in advance.
Best Regards
Daniel Ryslink
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users