NS: got insecure response; parent indicates it should be secure

Jorre picture Jorre · Nov 12, 2012 · Viewed 33.5k times · Source

I'm trying to run Bind on Centos 6.3 on my school network and I'm having trouble getting external queries to work.

I can dig/query my own zones running on my server, but once I dig for an external domain name I see the following in my log files:

NS: got insecure response; parent indicates it should be secure

I have disabled dnssec with no result. I'm using the DNS forwarders from school, helpdesk has no idea what's wrong at this point in time.

However, I CAN dig @SCHOOL-SERVER and it will return a correct answer. It's just working with the forwarders that doesn't seem to work.

Can somebody point me in the right direction here? Let me know if you need more logs or tests from me.

Thank you!

Answer

mazgalici picture mazgalici · Feb 17, 2013

This is related to the new DNSSEC feature which is now enabled by default. This might indicate the DNS resolvers/forwarders you are using does not support DNSSEC so the response appear to be insecure to your server.

You can either use resolvers that support DNSSEC or temporarily disable the feature on your server. To disable it, simply use those parameters in your named.conf or named.conf.options :

dnssec-enable no;
dnssec-validation no;