8

it's my first question to the forum here, so please go easy on me. I'm a Linux newbie and I experimented with setting up my own Ubuntu server (server name : araliya, domain: autun.hom, IP: 192.168.1.99). I setup everything and installed bind9 to setup a DNS server using the tutorial posted here (How do I do a complete BIND9 DNS Server Configuration with a hostname?).

Everything went actually very well, until the step at the very end, when I had to check whether the DNS server is working. When I gave the following command, I got a good output.

> named-checkzone autun.hom /etc/bind/zones/db.autun.hom
  zone autun.hom /IN: loaded serial   2
  Ok

However, when I did the same thing for my reverse DNS lookup I got a slightly different answer.

> named-checkzone autun.hom /etc/bind/zones/db.192
  zone autun.hom /IN: loaded serial   1
  Ok

The tutorial said that the output of "named-checkzone" should be the same for forward and reverse lookup zones. But the "loaded serial" value I get is different between the two answers.

When I followed all the other tests including, dig, hostname, nslookup, I get good output. In fact, my DNS server looks like it's working. When I checked the syslog, however, I get lots of errors:

May 10 20:09:04 araliya named[1026]: validating @0x7f1314706200: . NS: got insecure          response; parent indicates it should be secure
May 10 20:09:04 araliya named[1026]: error (insecurity proof failed) resolving  './NS/IN': 192.168.1.1#53
May 10 20:09:12 araliya named[1026]: validating @0x7f1314706200: . NS: got insecure response; parent indicates it should be secure
May 10 20:09:12 araliya named[1026]: error (insecurity proof failed) resolving './NS/IN': 192.168.1.1#53
May 10 20:09:13 araliya named[1026]: error (network unreachable) resolving './NS/IN': 2001:7fe::53#53
May 10 20:09:24 araliya named[1026]: validating @0x7f1314706200: . NS: got insecure response; parent indicates it should be secure
May 10 20:09:24 araliya named[1026]: error (insecurity proof failed) resolving './NS/IN': 192.168.1.1#53

The weird thing is that all hostnames are being resolved correctly but it looks like I may have made a mistake somewhere. Can someone help me pinpoint where the error is?

Community
  • 1
user280327
  • 221

2 Answers2

7

These error messages are related to dnssec. Remove or comment out all the lines in /etc/bind/named.conf.options that start with dnssec and restart bind9.

The best explanation for what's going on that I could find is here:

When the validator receives a response from an unsigned zone that has a signed parent, it must confirm with the parent that the zone was intentionally left unsigned. It does this by verifying, via signed and validated NSEC/NSEC3 records, that the parent zone contains no DS records for the child.

If the validator can prove that the zone is insecure, then the response is accepted. However, if it cannot, then it must assume an insecure response to be a forgery; it rejects the response and logs an error.

The logged error reads "insecurity proof failed" and "got insecure response; parent indicates it should be secure". (Prior to BIND 9.7, the logged error was "not insecure". This referred to the zone, not the response.)

itsadok
  • 2,904
  • your answer guide me to the right solution. dnssec-validation no; on /etc/bind/named.conf.options – ArcherGodson Feb 26 '15 at 13:24
  • 2
    It seemed to me like turning off dnssec was a bad idea, so I added google's dns server to /etc/bind/named.conf.options and commented out the dns servers that were throwing errors (namely comcast's) – isaaclw Jul 31 '15 at 15:19
-1

Add below line to your "/etc/default/bind9"

as below: 

# startup options for the server
OPTIONS="-u bind -4"
Eric Carvalho
  • 54,385
karan
  • 1