Hi Rob, VeriSign contact as the operator of g.gtld-servers.net in CC.
I think your resolver is noticing the right thing here. When running multiple queries against this server I occassionally receive a response that indeed has no signatures: $ dig @192.42.93.30 google.com +dnssec +norec ; <<>> DiG 9.7.3-P3 <<>> @192.42.93.30 google.com +dnssec +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61625 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;google.com. IN A ;; AUTHORITY SECTION: google.com. 172800 IN NS ns2.google.com. google.com. 172800 IN NS ns1.google.com. google.com. 172800 IN NS ns3.google.com. google.com. 172800 IN NS ns4.google.com. ;; ADDITIONAL SECTION: ns2.google.com. 172800 IN A 216.239.34.10 ns1.google.com. 172800 IN A 216.239.32.10 ns3.google.com. 172800 IN A 216.239.36.10 ns4.google.com. 172800 IN A 216.239.38.10 ;; Query time: 192 msec ;; SERVER: 192.42.93.30#53(192.42.93.30) ;; WHEN: Wed Feb 29 13:46:17 2012 ;; MSG SIZE rcvd: 175 Probably one system in a load balancer setup that is broken. For the record, I seem to end up at their San Francisco site: $ mtr -r -c 1 -w 192.42.93.30 4.|-- 3842.gi0.br1.cit190.uecomm.net.au 0.0% 1 4.2 4.2 4.2 4.2 0.0 5.|-- vlan323.o3mlc76f05.optus.net.au 0.0% 1 7.3 7.3 7.3 7.3 0.0 6.|-- 61.88.221.71 0.0% 1 19.4 19.4 19.4 19.4 0.0 7.|-- 203.208.148.17 0.0% 1 230.4 230.4 230.4 230.4 0.0 8.|-- xe-4-1-0-0.laxow-dr2.ix.singtel.com 0.0% 1 177.3 177.3 177.3 177.3 0.0 9.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0 10.|-- xe-0-2-0.r2.bb-fo.lax2.vrsn.net 0.0% 1 174.4 174.4 174.4 174.4 0.0 11.|-- xe-1-1-0.r2.bb-fo.sfo1.vrsn.net 0.0% 1 184.8 184.8 184.8 184.8 0.0 12.|-- xe-0-2-0.r1.bb-fo.sfo1.vrsn.net 0.0% 1 175.9 175.9 175.9 175.9 0.0 13.|-- xe-1-1-0.r1.edge-fo.sfo1.vrsn.net 0.0% 1 176.6 176.6 176.6 176.6 0.0 14.|-- host-158.edge-fo.sfo1.verisign.com 0.0% 1 185.2 185.2 185.2 185.2 0.0 15.|-- g.gtld-servers.net 0.0% 1 178.8 178.8 178.8 178.8 0.0 Regards, -- Wolfgang Nagele Senior Systems and Network Administrator AusRegistry Pty Ltd Level 8, 10 Queens Road Melbourne, Victoria, Australia, 3004 Phone +61 3 9090 1756 Email: wolfgang.nag...@ausregistry.com.au Web: www.ausregistry.com.au The information contained in this communication is intended for the named recipients only. It is subject to copyright and may contain legally privileged and confidential information and if you are not an intended recipient you must not use, copy, distribute or take any action in reliance on it. If you have received this communication in error, please delete all copies from your system and notify us immediately. On Feb 29, 2012, at 10:54 AM, Rob Leslie wrote: > Hello all, > > Recently I’ve started getting numerous errors in my logs of the form: > > Feb 24 15:12:50 server named[3511]: validating @0xb8976b78: com SOA: got > insecure response; parent indicates it should be secure > Feb 24 15:12:50 server named[3511]: error (no valid RRSIG) resolving > 'google.com/DS/IN': 192.42.93.30#53 > > These errors have occurred while attempting to resolve many different domains > (always under com or net), have occurred on several independent nameservers, > always involve SOA/DS RR types, and always mention 192.42.93.30 > (g.gtld-servers.net). > > The above date and time appears to be one of the earliest occurrences, but it > has been occurring consistently, about a few times per hour, ever since. > > I’ve not noticed any problems with DNS resolution, and validation otherwise > seems to be working normally. > > Can anyone point me in the right direction to help me understand what is > causing this? > > Thanks, > > -- > Rob Leslie > r...@mars.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
