In message <55592.216.191.251.36.1355342351.squir...@secure.webcon.ca>, "Robert Hardy" writes: > I've got bind 9.8.1-P1 setup as a DNSSEC validating name server. > af.mil uses DNSSEC and various web based external validation tools seem > happy with their setup. I've turned up my logging for DNSSEC validation > and in bind for af.mil/DNSKEY only always fails validation. It seems > perfectly happy with other records in the domain. When validation fails > the error below is being logged: > Dec 11 15:29:12 ahostname named[25509]: error (insecurity proof failed) > resolving 'af.mil/DNSKEY/IN': 199.252.162.234#53 > > Would anyone know why this is happening?
The .mil servers are broken. When you fallback to TCP due to TC=1 in the UDP response you get a empty response. Mark ; <<>> DiG 9.10.0pre-alpha <<>> af.mil @199.252.154.234 +norec +dnssec dnskey +bufsize=1024 +ignore +tcp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56950 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1024 ;; QUESTION SECTION: ;af.mil. IN DNSKEY ;; Query time: 271 msec ;; SERVER: 199.252.154.234#53(199.252.154.234) ;; WHEN: Thu Dec 13 07:44:32 EST 2012 ;; MSG SIZE rcvd: 35 > Regards, > Rob > > -- > ---------------------"Happiness is understanding."---------------------- > Robert Hardy C.E.O. Webcon Inc. > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users