named

[adler-wRvlPVLobi1/31tCrMuHxg at public.gmane.org (Stephen Adler)]

Hi blu,

one more sys-admin question... :)

I've been having trouble with verizon's domain name servers, so I 
decided to fire up a caching domain name server. In doing so, I realized 
that its gotten a bit more complicated since I last performed this task. 
Mainly, it looks like there is now a secure name service or dnssec which 
is shipped with rhel6.

So I didn't change the default configuration in /etc/named.conf, only to 
allow named to listen on the local area network and accept queries from 
my local system. There is a file which defines a bunch of root servers 
called /var/named/named.ca. So with this setup, I'm assuming I'm 
skipping over the verizon domain name servers and going directly to the 
root servers.

I then thought I should have my named query the verizon dns servers 
instead of hitting the root servers and when I did, I got a bunch of the 
following errors...

Nov 29 22:14:42 basement00 named[22831]: error (insecurity proof failed) 
resolving 'dk.cachefly.net.dlv.isc.org/DLV/IN': 71.242.0.12#53
Nov 29 22:14:42 basement00 named[22831]:   validating @0x7f0c9002eab0: 
dlv.isc.org SOA: got insecure response; parent indicates it should be secure
Nov 29 22:14:42 basement00 named[22831]:   validating @0x7f0c94014d20: 
dlv.isc.org SOA: got insecure response; parent indicates it should be secure

So, it seems to me that if I am really wanting to use dnssec, then I 
should removed the forwarder option in named.conf and have my named go 
straight to the root servers. Some how I feel that this really isn't how 
I should be setting my named up....

Any comments are greatly appreciated.

Cheers. Steve.