NS: got insecure response; parent indicates it should be secure

dns centos bind named
36,271

Solution 1

This is related to the new DNSSEC feature which is now enabled by default. This might indicate the DNS resolvers/forwarders you are using does not support DNSSEC so the response appear to be insecure to your server.

You can either use resolvers that support DNSSEC or temporarily disable the feature on your server. To disable it, simply use those parameters in your named.conf or named.conf.options :

dnssec-enable no;
dnssec-validation no;

Solution 2

The internet can be a pretty frustrating place with people parroting the same answers; In the place of a solution, you are being given workarounds.

I can tell you for a fact that if a DNS server says it is providing a secure response, then it is providing a secure response. The problem here is that DNS forwarders are stripping DNSSEC signatures and this appears to be common place and since I haven't heard of this being done transparently, you probably have a forwarder set. So, if you do want to use DNSSEC in this manner, then disable your forwarder in named.conf.options:

options {
        directory "/var/cache/bind";
        //forwarders {
        //      8.8.8.8;
        //};

        dnssec-validation auto;
        dnssec-enable yes;
        dnssec-lookaside auto;
};
Share:
36,271
Jorre
Author by

Jorre

Updated on September 03, 2021

Comments

  • Jorre
    Jorre over 2 years

    I'm trying to run Bind on Centos 6.3 on my school network and I'm having trouble getting external queries to work.

    I can dig/query my own zones running on my server, but once I dig for an external domain name I see the following in my log files:

    NS: got insecure response; parent indicates it should be secure

    I have disabled dnssec with no result. I'm using the DNS forwarders from school, helpdesk has no idea what's wrong at this point in time.

    However, I CAN dig @SCHOOL-SERVER and it will return a correct answer. It's just working with the forwarders that doesn't seem to work.

    Can somebody point me in the right direction here?

  • Aryo
    Aryo over 10 years
    I am able to get rid of the message by commenting the dnssec-validation auto; and adding dnssec-enable no; dnssec-validation no; below it. On Ubuntu/Debian, the named.conf is located in /etc/bind/named.conf.options file.
  • Fonzie
    Fonzie over 6 years
    Thanks. This problem has been bugging me for a couple of days.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

how can I add records to the zone file without restarting the named service?
Can't start Bind open: /etc/named.conf: permission denied - Centos 7
BIND named... unknown host
binding ip address to hostname
When to use BIND vs internal DNS for Samba 4 backend
rndc: connect failed: 127.0.0.1#953: connection refused
How to setup BIND DNS to retrieve all non authoritative queries from another server
difference between eth0 and venet0 configuration on CentOS 6.3
Bind named service high cpu load
DNS configuration problem with BIND9