Lars Kollstedt <l...@man-da.de> wrote: > > what do the following messages in loose combination mean?: > > Apr 22 09:23:01 resolver1 named[1201]: validating ip6.arpa/SOA: got insecure > response; parent indicates it should be secure
This means there is a DS record for ip6.arpa in the .arpa zone, but there were no RRSIG records in the response to the ip6.arpa SOA query. > I'm seeing this on all our resolvers and for a longer time already. The BIND > version I am running is currently 1:9.11.3+dfsg-1ubuntu1.11. This might be an instance of a bug that Mark mentioned last week: https://lists.isc.org/mailman/htdig/bind-users/2020-April/102982.html Older versions of BIND can fall back to non-DNSSEC queries for DNSSEC zones. This can be more common if there is network disruption (I don't know if the CenturyLink fibre cut issues have been resolved yet...) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ German Bight, Humber: East or northeast 4 or 5, occasionally 6 at first. Moderate. Fair. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users