0

I'm using Ubuntu 14.04.4 LTS on following system:

root@ubuntu-1gb-nyc2-01:~# uname -a
Linux ubuntu-1gb-nyc2-01 3.13.0-77-generic #121-Ubuntu SMP Wed Jan 20 10:50:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu-1gb-nyc2-01:~#

and I'm seeing a lot of following errors in my /var/log/syslog:

Feb 20 15:03:52 ubuntu-1gb-nyc2-01 named[29783]:   validating @0x7f8f946ae8f0: com SOA: got insecure response; parent indicates it should be secure
Feb 20 15:03:52 ubuntu-1gb-nyc2-01 named[29783]: error (insecurity proof failed) resolving 'X.com/MX/IN': 208.67.222.222#53

How should I deal with it? How do I comply with "parent" by making it "secure"?

alexus
  • 13,112
  • 32
  • 117
  • 174

1 Answers1

0

OpenDNS doesn't support DNSSEC but your validating resolver server has been configured to forward queries to OpenDNS.


The obvious options to resolve this are:

  1. Don't forward at all (named is quite capable to handle recursion requests on its own)
  2. Forward to DNSSEC capable servers (ie, not OpenDNS)
  3. Disable DNSSEC validation (losing out on the authentication of DNS data for signed zones)

My preference would be either 1. or 2., but your actual requirements should decide which approach you choose.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94