Finally I caught one query/server that produces the ". SOA: got insecure response; parent indicates it should be secure" log each time:
"dig @ns ladeco.com. MX" does this every time, where ns runs bind 9.7.1-P2, with only the root TA configured. The server serving that domain returns not exactly RFC-compliant answers: ; <<>> DiG 9.5.0-P2 <<>> @b.gtld-servers.net ladeco.com mx ;; QUESTION SECTION: ;ladeco.com. IN MX ;; AUTHORITY SECTION: ladeco.com. 172800 IN NS not-renewed.joker.com. ;; ADDITIONAL SECTION: not-renewed.joker.com. 172800 IN A 194.176.0.3 <<>> DiG 9.5.0-P2 <<>> @194.176.0.3 ladeco.com. MX ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4159 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ladeco.com. IN MX ;; AUTHORITY SECTION: . 2560 IN SOA nxdomain.nrw.net. hostmaster. 1279119397 16384 2048 1048576 2560 ;; Query time: 22 msec ;; SERVER: 194.176.0.3#53(194.176.0.3) ;; WHEN: Fri Jul 23 15:17:33 2010 ;; MSG SIZE rcvd: 89 So bind is right in complaining, but the message is a bit misleading, in so far that it suggests a more serious issue. What I don't quite understand is why that obviously rubbish authority section is not discarded before it even comes near the validator? Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
