Insecurity proof failed

Borja Marcos Tue, 12 Mar 2024 04:51:22 -0700

Hi,

This is driving me nuts. I have three BIND 9.18.24 running on FreeBSD. Two of 
them on FreeBSD 14, one on FreeBSD 13.2.


Just one of the servers is failing to resolve a single domain compared to the 
other two: checkpoint.com <http://checkpoint.com/>.

I get these errors:

<142>1 2024-03-12T11:36:21.957013+00:00 dnsanycast named 86604 - - insecurity 
proof failed resolving 'checkpoint.com/A/IN': 198.51.44.65#53
<142>1 2024-03-12T11:36:21.941389+00:00 dnsanycast named 86604 - - insecurity 
proof failed resolving 'checkpoint.com/A/IN': 198.51.45.1#53
<142>1 2024-03-12T11:36:21.924666+00:00 dnsanycast named 86604 - - insecurity 
proof failed resolving 'checkpoint.com/A/IN': 198.51.45.65#53
<142>1 2024-03-12T11:36:21.907492+00:00 dnsanycast named 86604 - - insecurity 
proof failed resolving 'checkpoint.com/A/IN': 198.51.44.1#53

and 
 these: validating checkpoint.com/A: got insecure response; parent indicates it 
should be secure

And ultimately my DNS servers returns a SERVFAIL.

The puzzling thing is, the other two servers work (this is a check on a 
different server from the same pool).

; <<>> DiG 9.18.24 <<>> @127.0.0.1 checkpoint.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40171
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: aa16c8ceb3a9eee90100000065f0416206a44938e6d8f2b4 (good)
;; QUESTION SECTION:
;checkpoint.com. IN A

;; ANSWER SECTION:
checkpoint.com. 18 IN A 54.230.112.31
checkpoint.com. 18 IN A 54.230.112.106
checkpoint.com. 18 IN A 54.230.112.68
checkpoint.com. 18 IN A 54.230.112.55

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Mar 12 11:49:54 UTC 2024
;; MSG SIZE  rcvd: 135



I have the same configuration, using dnssec-validation set to auto.

Any clue on what might be failing? I am really lost!

Thanks,





Borja.

signature.asc
Description: Message signed with OpenPGP

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Insecurity proof failed

Reply via email to