Hello, Since enabling the root TA in my resolver, I keep seeing from time to time:
21-Jul-2010 08:52:27.929 dnssec: debug 3: validating @0x134fe7e8: . SOA: attempting insecurity proof 21-Jul-2010 08:52:27.929 dnssec: debug 3: validating @0x134fe7e8: . SOA: insecurity proof failed 21-Jul-2010 08:52:27.929 dnssec: info: validating @0x134fe7e8: . SOA: got insecure response; parent indicates it should be secure Otherwise validation just works fine and mostly I see these: validating @0x134fe7e8: . SOA: marking as secure, noqname proof not needed Following an earlier comment on this list by Mark Andrews ( http://www.mail-archive.com/bind-users@lists.isc.org/msg04276.html ) I've checked the answers given by the 13 root instances (ipv4 and 6), and all answer to "dig . soa +dnssec" just fine. Trying to capture . SOA queries from the resolver (by a crude tcpdump/grep) failed to show something useful. Any idea what could be the reason for these messages, and how to confirm/retrace the events that lead to such messages? Could it be that lame auth server with a local (unsigned) copy of the root zone triggers this? best regards, Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
