dnssec bad cache hit error for bind9.16.13

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

dnssec bad cache hit error for bind9.16.13

Sakuma, Koshiro
Hello Team;

I've just finished setup for bind9.16.13 from scratch (source).  But I got error when I checked with bind function with "dig" command.   The error I got was as below.

1. dig result;
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17070
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 

2. named.log
There are many bad cache hit logs.
dnssec: view internal:   validating nikkei225jp.com/SOA: bad cache hit (com/DS)

I tried to dig out for this issue, I found one thing that disable dnssec-validation option.
After changing, the issue had been fixed.  However, I'm wondering if I can disable this option for security reason.  Or there is another solution??

Thank you for your support!


Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
[hidden email]