9.6.1-P1 log message
What do I have to do to correct whatever is causing this log message from named (9.6.1-P1-RedHat-9.6.1-4.P1.fc11)? validating @0x7f9f2c60c200: dns1.registeredsite.com.dlv.isc.org DS: must be secure failure Thanks in advance, Dave -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.6.1-P1 log message
On Tue, 25 Aug 2009, Jeremy C. Reed wrote: On Tue, 25 Aug 2009, David Forrest wrote: What do I have to do to correct whatever is causing this log message from named (9.6.1-P1-RedHat-9.6.1-4.P1.fc11)? validating @0x7f9f2c60c200: dns1.registeredsite.com.dlv.isc.org DS: must be secure failure May need more context for this (like higher debug level for DNSSEC category). (I have patches for improving the DNSSEC logging which are planned for upcoming BIND release.) This may be: must be secure failure, no DS and this is a delegation must be secure failure, key is insecure, so mark the data as insecure also. must be secure failure, no supported algorithm/digest (dlv) must be secure failure (DS) must be secure failure, no supported algorithm/digest (DS) must be secure failure, DLV lookup from a DLV subdomain must be secure failure, DLV lookup from a DLV subdomain? must be secure failure, not beneath secure root must be secure failure at '%s', can't fall back to DLV must be secure failure, no DS at zone cut (zone) must be secure failure, is a delegation but no DS at zone cut (cache) must be secure failure, no supported algorithm/digest (%s/DS) Sorry this probably doesn't help much. Thanks for the note anyway, Jeremy. I got another response off-list, and since I'm not really using DNSSEC for anything, I just changed my options to: dnssec-enable no; dnssec-validation no; and that seems to have done it. Dave -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.6.1-P1 log message
In message alpine.lfd.2.01.0908250838190.14...@maplepark.com, David Forrest w rites: What do I have to do to correct whatever is causing this log message from named (9.6.1-P1-RedHat-9.6.1-4.P1.fc11)? validating @0x7f9f2c60c200: dns1.registeredsite.com.dlv.isc.org DS: must be s ecure failure This is ususally because named has fallen back to plain DNS. Please ensure that you have a clean EDNS path and any forwarders you use also have clean EDNS paths. A clean EDNS path will accept EDNS responses upto 4096 bytes in size. Firewalls and DNS proxies in SOHO routers are known devices which interfere with this. Sometimes intentionally (firewalls) and some unintentionally (SOHO routers). Firewalls must be configured to accept DNS responses bigger than 512 bytes. They and SOHO routers also need to handle fragmented responses. A flakey link can also cause fallback to plain EDNS when too many transactions timeout. The dlv namespace is marked as must-be-secure by named as a side effect of dnssec-lookaside clause. Mark Thanks in advance, Dave -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
