0

I administer a couple of networks with 10-30 machines, and I run a bind nameserver to provide DNS resolution to my clients (instead of forwarding to Comcast or Google -- I don't care to advertise my users' internet activity that way). My nameserver is authoritative for some local things, and it does full from-root resolution of everything else. This mostly works correctly, but even after a fresh restart, it doesn't take long for bind to start logging got insecure response; parent indicates it should be secure errors. I believe these occur when a brand-new name is resolved, when my copy of bind starts resolving from .com or .org or whatever.

I haven't yet dug into the current DNS protocol, or started tcpdump sniffing; I hope that somebody will be able to say "your timebase is off" or something similar that will save me from the deep DNS dive. (I have NTP running, and I believe my system times are close enough that that's not the problem.)

Is there a common problem that affects small sites running a recursing nameserver like this? Or is there a good tool for running in parallel to bind that can help me figure out why bind is complaining? Note that even when some names won't resolve, I believe others do. For example, I might have a problem with foo.bar.com. that is reported as validating .com/SOA: got insecure response, but gibble.gobble.com resolves OK. (My bind is running on a self-built OpenWRT router, so it's somewhat inconvenient to build new versions of tools, but if I have to re-build and re-install a new system, I could do it.)

Improve this question

1 Answer 1

Reset to default
1

The message means that the domain you are looking at is DNSSEC-enabled (i.e. the parent domain has a DS record pointing to the child, meaning that records in the child should be signed), but either the response didn't come with a DNSSEC signature (misconfiguration on the domain) or your nameserver failed to interpret the DNSSEC signature (perhaps the signature generated with a crypto algorithm that your DNS server can't handle). Without a specific example of a domain that failed to resolve, we can't no which.

You could turn off DNSSEC validation which will certainly stop the errors (and name-resolution) failures, but security-wise that's not a great idea. If you never lock the front door of your house, you will never find yourself locked out either ;-) If the cause of the errors is DNSSEC misconfiguration on the domain, there is obviously not much you can do about it (I don't think BIND provides a way to selectively ignore DNSSEC errors on a per-domain basis, even if you wanted to). If the problem is an unsupported crypto algorithm in your version of BIND, then an update to BIND might be the only fix.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .