In message <4d4693cb.60...@dialtelecom.cz>, "rysl...@dialtelecom.cz" writes: > Hello, we have a DNS resolver running the latest 9.7 bind version, and > there is a problem with several zones from these authoritative servers > (frantovo.cz is just and example, the problem prevails in all signed > zones from these authoritative servers): > > frantovo.cz. 3111 IN NS ns.forpsi.net. > frantovo.cz. 3111 IN NS ns.forpsi.cz. > frantovo.cz. 3111 IN NS ns.forpsi.it. > > Our resolver logis this: > > 31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000: > frantovo.cz NS: starting > 31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000: > frantovo.cz NS: attempting insecurity proof > 31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000: > frantovo.cz NS: checking existence of DS at 'cz' > 31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000: > frantovo.cz NS: checking existence of DS at 'frantovo.cz' > 31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000: > frantovo.cz NS: insecurity proof failed > 31-Jan-2011 11:45:30.837 dnssec: info: validating @0xd69c000: > frantovo.cz NS: got insecure response; parent indicates it should be secure > > > The problem arises from the fact that all these servers fail to respond > to queries on DS record for their zones: > > # dig @ns.forpsi.cz frantovo.cz ds > > ; <<>> DiG 9.7.2-P2 <<>> @ns.forpsi.cz frantovo.cz ds > ; (1 server found) > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > Which is strange, because according to RFCs, the DS record for a given > zone is required only in the parent zone, not the child zone itself. > Does BIND query for the existence of a DS record in the child zone, and > if so, why? Or is the cause of the problem different?
What makes you think named asked those servers? DS at 'frantovo.cz' will be asked to the parent (cz) zone. > Any advice would be welcome, thanks in advance. > > Best Regards > Daniel Ryslink > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users