Graham Clinch <g.cli...@lancaster.ac.uk> wrote: > > I'm seeing a dnssec validation error that I can't pin down, for the domain: > newsletter.postbank.de.
Looks like a bug in BIND to me. It works out that there is no DS in the parent then gets muddled. I note that postbank.de is in the middle of a double-signature ZSK rollover. Dunno if that is relevant, but it is a bit unusual. 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: in authvalidated 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: resuming nsecvalidate 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: looking for relevant NSEC3 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: looking for relevant NSEC3 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: NSEC3 proves name exists (owner) data=0 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: nonexistence proof(s) found 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): received validation completion event 20-Jan-2014 12:18:51.415 dnssec: debug 3: validator @0x8071e8300: dns_validator_destroy 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): nonexistence validation OK ... right ... 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): clone_results 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): done 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): stopeverything 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): cancelqueries 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): sendevents 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): doshutdown 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): stopeverything 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): cancelqueries 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): unlink 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): destroy 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x80bb74500: newsletter.postbank.de A: in dsfetched2: ncache nxrrset 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x80bb74500: newsletter.postbank.de A: resuming proveunsecure 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x80bb74500: newsletter.postbank.de A: insecurity proof failed ... what? ... 20-Jan-2014 12:18:51.416 resolver: debug 3: fetch 0x801859ff0 (fctx 0x80b044860(newsletter.postbank.de/DS)): destroyfetch 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): shutdown 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx 0x80b044430(newsletter.postbank.de/A): received validation completion event 20-Jan-2014 12:18:51.416 dnssec: debug 3: validator @0x80bb74500: dns_validator_destroy 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx 0x80b044430(newsletter.postbank.de/A): validation failed 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx 0x80b044430(newsletter.postbank.de/A): add_bad 20-Jan-2014 12:18:51.416 lame-servers: info: error (insecurity proof failed) resolving 'newsletter.postbank.de/A/IN': 195.140.184.21#53 Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users