I run "logcheck" on my servers and have noticed that my DC01 log has these: Feb 4 06:58:16 dc01 named[2096]: validating @0xb1c75c18: . NS: got insecure response; parent indicates it should be secure Feb 4 06:58:16 dc01 named[2096]: error (insecurity proof failed) resolving './NS/IN': 208.67.222.222#53 Feb 4 06:58:16 dc01 named[2096]: validating @0xb1c75c18: . NS: got insecure response; parent indicates it should be secure Feb 4 06:58:16 dc01 named[2096]: error (insecurity proof failed) resolving './NS/IN': 208.67.220.220#53 Feb 4 07:04:51 dc01 named[2096]: validating @0xb982c740: com SOA: got insecure response; parent indicates it should be secure Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving 'microsoft.com/DS/IN': 208.67.222.222#53 Feb 4 07:04:51 dc01 named[2096]: validating @0xb982c740: com SOA: got insecure response; parent indicates it should be secure Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving 'microsoft.com/DS/IN': 208.67.220.220#53 Feb 4 07:04:51 dc01 named[2096]: validating @0xb1c314a8: net SOA: got insecure response; parent indicates it should be secure Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving 'akadns.net/DS/IN': 208.67.222.222#53 Feb 4 07:04:51 dc01 named[2096]: validating @0xb1c314a8: net SOA: got insecure response; parent indicates it should be secure Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving 'akadns.net/DS/IN': 208.67.220.220#53 Feb 4 07:05:12 dc01 named[2096]: validating @0xb982c740: com SOA: got insecure response; parent indicates it should be secure Feb 4 07:05:12 dc01 named[2096]: error (no valid RRSIG) resolving 'woodgrovebank.com/DS/IN': 208.67.220.220#53 Now, I am not certain if this is an issue but it sure looks strange to me. Perhaps there is something set incorrectly in bind? As I little about bind, I do not know. My DC was created using Louis' "generation one" scripts. Maybe this is nothing? -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com
Hi bob., As fas as i know opendns does not support dnssec. which is default enabled in bind9 try switchin your dns forwarders to googles ( which support dnssec ) and see what happens. or.. disable dnssec in bind9 Louis>-----Oorspronkelijk bericht----- >Van: bob at donelsontrophy.net >[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy >Verzonden: woensdag 4 februari 2015 15:05 >Aan: SAMBA MailList >Onderwerp: [Samba] DC01 log entries > > > >I run "logcheck" on my servers and have noticed that my DC01 log has >these: > >Feb 4 06:58:16 dc01 named[2096]: validating @0xb1c75c18: . NS: got >insecure response; parent indicates it should be secure >Feb 4 06:58:16 dc01 named[2096]: error (insecurity proof failed) >resolving './NS/IN': 208.67.222.222#53 >Feb 4 06:58:16 dc01 named[2096]: validating @0xb1c75c18: . NS: got >insecure response; parent indicates it should be secure >Feb 4 06:58:16 dc01 named[2096]: error (insecurity proof failed) >resolving './NS/IN': 208.67.220.220#53 >Feb 4 07:04:51 dc01 named[2096]: validating @0xb982c740: com SOA: got >insecure response; parent indicates it should be secure >Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving >'microsoft.com/DS/IN': 208.67.222.222#53 >Feb 4 07:04:51 dc01 named[2096]: validating @0xb982c740: com SOA: got >insecure response; parent indicates it should be secure >Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving >'microsoft.com/DS/IN': 208.67.220.220#53 >Feb 4 07:04:51 dc01 named[2096]: validating @0xb1c314a8: net SOA: got >insecure response; parent indicates it should be secure >Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving >'akadns.net/DS/IN': 208.67.222.222#53 >Feb 4 07:04:51 dc01 named[2096]: validating @0xb1c314a8: net SOA: got >insecure response; parent indicates it should be secure >Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving >'akadns.net/DS/IN': 208.67.220.220#53 >Feb 4 07:05:12 dc01 named[2096]: validating @0xb982c740: com SOA: got >insecure response; parent indicates it should be secure >Feb 4 07:05:12 dc01 named[2096]: error (no valid RRSIG) resolving >'woodgrovebank.com/DS/IN': 208.67.220.220#53 > >Now, I am not certain if this is an issue but it sure looks strange to >me. > >Perhaps there is something set incorrectly in bind? As I little about >bind, I do not know. > >My DC was created using Louis' "generation one" scripts. > >Maybe this is nothing? > >-- > >------------------------- > >Bob Wooden of Donelson Trophy > >615.885.2846 (main) >www.donelsontrophy.com [1] > >"Everyone deserves an award!!" > > >Links: >------ >[1] http://www.donelsontrophy.com >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Not knowing bind that well, these changes take place in the /etc/bind/named.conf.options file? Is there anywhere else they need changing? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" On 2015-02-06 10:11, L.P.H. van Belle wrote:> Hi bob., > > As fas as i know opendns does not support dnssec. > which is default enabled in bind9 > > try switchin your dns forwarders to googles ( which support dnssec ) > and see what happens. > > or.. disable dnssec in bind9 > > Louis > >> -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy Verzonden: woensdag 4 februari 2015 15:05 Aan: SAMBA MailList Onderwerp: [Samba] DC01 log entries I run "logcheck" on my servers and have noticed that my DC01 log has these: Feb 4 06:58:16 dc01 named[2096]: validating @0xb1c75c18: . NS: got insecure response; parent indicates it should be secure Feb 4 06:58:16 dc01 named[2096]: error (insecurity proof failed) resolving './NS/IN': 208.67.222.222#53 Feb 4 06:58:16 dc01 named[2096]: validating @0xb1c75c18: . NS: got insecure response; parent indicates it should be secure Feb 4 06:58:16 dc01 named[2096]: error (insecurity proof failed) resolving './NS/IN': 208.67.220.220#53 Feb 4 07:04:51 dc01 named[2096]: validating @0xb982c740: com SOA: got insecure response; parent indicates it should be secure Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving 'microsoft.com/DS/IN': 208.67.222.222#53 Feb 4 07:04:51 dc01 named[2096]: validating @0xb982c740: com SOA: got insecure response; parent indicates it should be secure Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving 'microsoft.com/DS/IN': 208.67.220.220#53 Feb 4 07:04:51 dc01 named[2096]: validating @0xb1c314a8: net SOA: got insecure response; parent indicates it should be secure Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving 'akadns.net/DS/IN': 208.67.222.222#53 Feb 4 07:04:51 dc01 named[2096]: validating @0xb1c314a8: net SOA: got insecure response; parent indicates it should be secure Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving 'akadns.net/DS/IN': 208.67.220.220#53 Feb 4 07:05:12 dc01 named[2096]: validating @0xb982c740: com SOA: got insecure response; parent indicates it should be secure Feb 4 07:05:12 dc01 named[2096]: error (no valid RRSIG) resolving 'woodgrovebank.com/DS/IN': 208.67.220.220#53 Now, I am not certain if this is an issue but it sure looks stra nge to me. Perhaps there is something set incorrectly in bind? As I little about bind, I do not know. My DC was created using Louis' "generation one" scripts. Maybe this is nothing? -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [1] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [2] Links: ------ [1] http://www.donelsontrophy.com [2] https://lists.samba.org/mailman/options/samba