Ubuntu DNS server working, but getting errors in syslog
Solution 1:
These error messages are related to dnssec. Remove or comment out all the lines in /etc/bind/named.conf.options
that start with dnssec
and restart bind9.
The best explanation for what's going on that I could find is here:
When the validator receives a response from an unsigned zone that has a signed parent, it must confirm with the parent that the zone was intentionally left unsigned. It does this by verifying, via signed and validated NSEC/NSEC3 records, that the parent zone contains no DS records for the child.
If the validator can prove that the zone is insecure, then the response is accepted. However, if it cannot, then it must assume an insecure response to be a forgery; it rejects the response and logs an error.
The logged error reads "insecurity proof failed" and "got insecure response; parent indicates it should be secure". (Prior to BIND 9.7, the logged error was "not insecure". This referred to the zone, not the response.)