On Tue, 25 Aug 2009, Jeremy C. Reed wrote:
On Tue, 25 Aug 2009, David Forrest wrote:
What do I have to do to correct whatever is causing this log message from
named (9.6.1-P1-RedHat-9.6.1-4.P1.fc11)?
validating @0x7f9f2c60c200: dns1.registeredsite.com.dlv.isc.org DS: must be
secure failure
May need more context for this (like higher debug level for DNSSEC
category). (I have patches for improving the DNSSEC logging which are
planned for upcoming BIND release.)
This may be:
"must be secure failure, no DS and this is a delegation"
"must be secure failure, key is insecure, so mark the data as insecure
also."
"must be secure failure, no supported algorithm/digest (dlv)"
"must be secure failure (DS)"
"must be secure failure, no supported algorithm/digest (DS)"
"must be secure failure, DLV lookup from a DLV subdomain"
"must be secure failure, DLV lookup from a DLV subdomain?"
"must be secure failure, not beneath secure root"
"must be secure failure at '%s', can't fall back to DLV"
"must be secure failure, no DS at zone cut (zone)"
"must be secure failure, is a delegation but no DS at zone cut (cache)"
"must be secure failure, no supported algorithm/digest (%s/DS)"
Sorry this probably doesn't help much.
Thanks for the note anyway, Jeremy. I got another response off-list, and
since I'm not really using DNSSEC for anything, I just changed my options
to:
dnssec-enable no;
dnssec-validation no;
and that seems to have done it.
Dave
--
David Forrest
St. Louis, Missouri
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
