i've setup a UTM box DNS as follows:
- Allow internal networks
- DNSSEC validation set
- forwarders set with an availability group with google and isp DNS servers
- request routes set for domain.local and .in-addr-arpa reverse resolution all pointing to internal AD DNS server
- AD DNS server has forwarder set on the UTM internal IP
everything seems to be working fine, but per chance i was checking the dns log and i see a LOT of errors and now i don't know if it's working correctly or not:
2014:08:08-15:10:59 utm named[11125]: validating @0x9361db8: domain.local SOA: got insecure response; parent indicates it should be secure
2014:08:08-15:10:59 utm named[11125]: error (no valid RRSIG) resolving 'serverdominio.domain.local/DS/IN': 192.168.3.202#53
2014:08:08-15:10:59 utm named[11125]: error (no valid DS) resolving 'serverdominio.domain.local/A/IN': 192.168.3.202#53
error (no valid DS) resolving '_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.domain.LOCAL/SRV/IN': 192.168.3.202#53
why is it validating my LOCAL domain, and what parent is indicating that it should be secure?, there's no higher parent than the AD DNS server and it's certainly not set for DNSSEC.
then it tries to validate the domain server hostname...
it repeats that same /ds/in and /a/in for several other internal hostnames.
other errors i see:
"error (unexpected RCODE REFUSED) resolving 'domain.com.ar/MX/IN': ***.61.xx.x#53" repeated several times for that specific domain
random errors like "error (no valid RRSIG) resolving 'oodic.com/DS/IN': 8.8.8.8#53"
so again, what happens with those errors, will it resolve it anyway or just refuse to resolve and timeout? [:S]
am i better off just chucking dnssec out?
This thread was automatically locked due to age.
