Domain Names/Static IP
Managing, controlling, and support for Custom Domain Names
Male IT Specialist Holds Laptop and Discusses Work with Female Server Technician. They're Standing in Data Center, Rack Server Cabinet is Open.
Visitor

DNSSEC using Comcast DNS servers

I have a caching BIND server running on the LAN, and it logs hundreds of errors like this per day:

 

Aug 30 12:05:47 nuc named[850]:   validating @0x7fc6d4018b50: com SOA: got insecure response; parent indicates it should be secure
Aug 30 12:05:47 nuc named[850]: error (no valid RRSIG) resolving 'facebook.com/DS/IN': 75.75.75.75#53
Aug 30 12:05:47 nuc named[850]:   validating @0x7fc6cc4fe120: com SOA: got insecure response; parent indicates it should be secure
Aug 30 12:05:47 nuc named[850]: error (no valid RRSIG) resolving 'amazonaws.com/DS/IN': 75.75.75.75#53
Aug 30 12:06:23 nuc named[850]:   validating @0x7fc6dc8a03e0: com SOA: got insecure response; parent indicates it should be secure
Aug 30 12:06:23 nuc named[850]: error (no valid RRSIG) resolving 'mozilla.com/DS/IN': 75.75.75.75#53

This doesn't actually prevent clients from resolving names, but it logs a ton of errors. This is the BIND setup in named.conf:

 

    forwarders {
            # Comcast
            2001:558:feed::1;
            2001:558:feed::2;
            75.75.75.75;
            75.75.76.76;
    };
    forward only;

    dnssec-enable yes;
    dnssec-validation auto;
    dnssec-lookaside auto;

Are the Comcast servers stripping out DNSSEC signatures (I asked this on serverfault and that's what the responses were)? If that's the case, why do this? Is there a way to use Comcast DNS servers and do DNSSEC validation locally?

0 Kudos