I’m getting these bind/named errors at a rate of 10 or 20 per hour in my syslog:
Dec 23 14:15:05 int named[1943]: validating @0x7fadd01c2e70: . NS: got insecure response; parent indicates it should be secure
Dec 23 14:15:05 int named[1943]: error (insecurity proof failed) resolving './NS/IN': 64.128.190.5#53
Dec 23 14:15:06 int named[1943]: validating @0x7fadd85be170: . NS: got insecure response; parent indicates it should be secure
Dec 23 14:15:06 int named[1943]: error (insecurity proof failed) resolving './NS/IN': 64.128.190.5#53
Dec 23 14:15:06 int named[1943]: validating @0x7fadd84fd580: 91.in-addr.arpa SOA: got insecure response; parent indicates it should be secure
Dec 23 14:15:06 int named[1943]: error (no valid RRSIG) resolving '89.189.91.in-addr.arpa/DS/IN': 64.128.190.5#53
It sounds like named is trying to verify the chain of trust back to the root servers, but finding broken links. (?)
isaaclw’s comment implies that it’s an issue with my ISP’s nameservers… but I still don’t understand exactly what’s going on.
Anyone else seeing this? Should I:
- bug my ISP about their nameservers?
- switch to google’s nameservers?
- turn off dnssec like almost everyone is recommending? (ha)
- ignore it?