Back in August there was some a thread on bind-users about messages of the shape
validating @[hex]: [name].dlv.isc.org DS: must be secure failure (these are category "dnssec" severity "warning") and on 31 August I wrote:
We have been running two production recursive nameservers validating against dlv.isc.org since 9 June, and first saw a batch of messages (for both servers) like this on 20 July. We reported them to ISC and got suggestions along the lines of Mark's above, along with an admission that current versions of BIND give up on EDNS too easily in situations they maybe shouldn't, which may be fixed in future releases. Since then we have had a trickle of such warning messages in the logs. We assume that they are the result of temporary network glitches somewhere, but their frequency appears to be increasing, which is somewhat worrying. It's also not clear whether any client queries are actually failing as a result, or whether BIND is simply trying another dlv.isc.org nameserver with better luck.
I have been looking at this again, and in fact there was a step function on 21 August when the messages rose from almost nil to 15-20 per day, and then fell back to almost nil after 15 September (we've seen just one since then). We have been running BIND 9.6.1-P1 throughout. I would be very interested to know whether other recursive nameserver operators validating via dlv.isc.org have seen a similar pattern. I am prepared to believe that the frequency is related to transient network errors or delays, but I have no idea whether they are likely to be local or at at the dlv.isc.org server end. -- Chris Thompson Email: c...@cam.ac.uk _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
