I am building a new recursive DNS server. I have it set to forward records for a single zone to our HQ DNS servers. When I try to resolve a record, I get errors like this:
Sep 30 11:25:39 bltn-dns-04 named[2012]: validating @0x7fb51810b8f0: stc.corp SOA: got insecure response; parent indicates it should be secure Sep 30 11:25:39 bltn-dns-04 named[2012]: error (no valid RRSIG) resolving 'inelhqnagios.stc.corp/DS/IN': 10.21.0.101#53 Sep 30 11:25:39 bltn-dns-04 named[2012]: validating @0x7fb520545fe0: stc.corp SOA: got insecure response; parent indicates it should be secure Sep 30 11:25:39 bltn-dns-04 named[2012]: error (no valid RRSIG) resolving 'inelhqnagios.stc.corp/DS/IN': 10.21.0.100#53 Sep 30 11:25:39 bltn-dns-04 named[2012]: error (no valid DS) resolving 'inelhqnagios.stc.corp/A/IN': 10.21.0.100#53 Sep 30 11:25:39 bltn-dns-04 named[2012]: validating @0x7fb51810ac60: inelhqnagios.stc.corp A: bad cache hit (inelhqnagios.stc.corp/DS) Sep 30 11:25:39 bltn-dns-04 named[2012]: error (broken trust chain) resolving 'inelhqnagios.stc.corp/A/IN': 10.21.0.101#53 This seems to indicate that the servers at 10.21.0.100 and 101 are telling me that stc.corp domain is DNSSEC enabled. However, the new server fails to find any DS or RRSIG records, so validating this claim is not possible. Is this interpretation accurate? Are the errors I'm seeing here the result of a misconfigured DNS server at our HQ? I've seen on the internet people suggest disabling DNSSEC validation. That seems to be an extreme solution to this problem. It works, but my understanding is that this would disable DNSSEC validation globally, not just for a single zone. The HQ DNS servers at 10.21.0.100 and 101 are Microsoft DNS servers over which I have no control, if that information is relevant. I am running bind9 9.9.5 on Debian 8 with this single zone defined in an otherwise stock debian bind9 configuration. I can post the remainder of my config if it would be of use. zone "stc.corp" IN { type forward; forwarders { 10.21.0.100; 10.21.0.101; }; forward only; }; Thanks. --John _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users