NS: got insecure response; parent indicates it should be secure

Asked 12/11, 2012 at 10:25 Answered 11/9, 2023 at 10:51

I'm trying to run Bind on Centos 6.3 on my school network and I'm having trouble getting external queries to work.

I can dig/query my own zones running on my server, but once I dig for an external domain name I see the following in my log files:

NS: got insecure response; parent indicates it should be secure

I have disabled dnssec with no result. I'm using the DNS forwarders from school, helpdesk has no idea what's wrong at this point in time.

However, I CAN dig @SCHOOL-SERVER and it will return a correct answer. It's just working with the forwarders that doesn't seem to work.

Can somebody point me in the right direction here?

Three answered 12/11, 2012 at 10:25 Comment(1)

I had the same problem. This post helped me. linuxformat.com/forums/viewtopic.php?p=103969. I disabled dnssec by setting dnssec-enable no; and dnssec-validation no;. Maybe double check your named.conf? – Lustrum 31/1, 2013 at 17:44

This is related to the new DNSSEC feature which is now enabled by default. This might indicate the DNS resolvers/forwarders you are using does not support DNSSEC so the response appear to be insecure to your server.

You can either use resolvers that support DNSSEC or temporarily disable the feature on your server. To disable it, simply use those parameters in your named.conf or named.conf.options :

dnssec-enable no;
dnssec-validation no;

Plier answered 17/2, 2013 at 16:56 Comment(2)

I am able to get rid of the message by commenting the dnssec-validation auto; and adding dnssec-enable no; dnssec-validation no; below it. On Ubuntu/Debian, the named.conf is located in /etc/bind/named.conf.options file. – Gallman 19/8, 2013 at 8:49

Thanks. This problem has been bugging me for a couple of days. – Boley 5/12, 2017 at 3:7

The internet can be a pretty frustrating place with people parroting the same answers; In the place of a solution, you are being given workarounds.

I can tell you for a fact that if a DNS server says it is providing a secure response, then it is providing a secure response. The problem here is that DNS forwarders are stripping DNSSEC signatures and this appears to be common place and since I haven't heard of this being done transparently, you probably have a forwarder set. So, if you do want to use DNSSEC in this manner, then disable your forwarder in named.conf.options:

options {
        directory "/var/cache/bind";
        //forwarders {
        //      8.8.8.8;
        //};

        dnssec-validation auto;
        dnssec-enable yes;
        dnssec-lookaside auto;
};

Umiak answered 5/12, 2019 at 22:34 Comment(0)

simply change

dns-validation auto;

dns-validation yes;

in named.conf

Katowice answered 11/9, 2023 at 10:51 Comment(0)

Recommended topics

Hot tags