On Wed, Sep 15, 2010 at 7:34 AM, Timothy Holtzen <t...@nebrwesleyan.edu> wrote: > I am having trouble resolving the host name cod.ed.gov which I believe > may be dnssec related
... > in my logs I am getting the messages: > > validating @0x2ab727eb5810: cod.ed.gov A: got insecure response; parent > indicates it should be secure > dnssec: info: validating @0x2ab727eb5810: cod.ed.gov A: got insecure > response; parent indicates it should be secure > error (insecurity proof failed) resolving 'cod.ed.gov/A/IN': 63.150.74.34#53 > There are DS RRs for cod.ed.gov in the parent zone (ed.gov), indicating that cod.ed.gov should be signed with a DNSKEY corresponding to the existing DS RR. However, cod.ed.gov is not signed, particularly not with the DNSKEY corresponding to the DS RR, which DNSKEY doesn't seem to exist in the zone at all. http://dnsviz.net/d/cod.ed.gov/dnssec/ To remedy the issue, the ed.gov administrators should remove the DS RR for cod.ed.gov from the ed.gov zone, which will make cod.ed.gov an insecure delegation (meaning that it can continue to be unsigned). If desired, the zone can then be resigned, and the appropriate DS RRs added to the parent. I can send them a note off-list. Regards, Casey _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
