I administer a couple of networks with 10-30 machines, and I run a bind
nameserver to provide DNS resolution to my clients (instead of forwarding to Comcast or Google -- I don't care to advertise my users' internet activity that way). My nameserver is authoritative for some local things, and it does full from-root resolution of everything else. This mostly works correctly, but even after a fresh restart, it doesn't take long for bind to start logging got insecure response; parent indicates it should be secure
errors. I believe these occur when a brand-new name is resolved, when my copy of bind
starts resolving from .com
or .org
or whatever.
I haven't yet dug into the current DNS protocol, or started tcpdump
sniffing; I hope that somebody will be able to say "your timebase is off" or something similar that will save me from the deep DNS dive. (I have NTP running, and I believe my system times are close enough that that's not the problem.)
Is there a common problem that affects small sites running a recursing nameserver like this? Or is there a good tool for running in parallel to bind
that can help me figure out why bind
is complaining? Note that even when some names won't resolve, I believe others do. For example, I might have a problem with foo.bar.com.
that is reported as validating .com/SOA: got insecure response
, but gibble.gobble.com
resolves OK. (My bind
is running on a self-built OpenWRT router, so it's somewhat inconvenient to build new versions of tools, but if I have to re-build and re-install a new system, I could do it.)