Hello,
Im using local recursor for my network (BIND) and have set it to forward mode to Cloudflare DNS server (using both IPv4 and IPv6). I also have dnssec validation turned on and last few days i have major problems with cloudflare dns. Right after flushing local resolver and trying to do some requests…
04-Feb-2020 13:02:45.178 general: info: received control channel command 'flush'
04-Feb-2020 13:02:45.179 general: info: flushing caches in all views succeeded
04-Feb-2020 13:02:57.891 dnssec: info: validating arpa/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:02:57.922 dnssec: info: validating arpa/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:02:57.936 dnssec: info: validating arpa/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:02:57.965 dnssec: info: validating arpa/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:02:57.973 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:57.980 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.028 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.807 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.836 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.842 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.853 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.865 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.894 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:59.026 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:59.105 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:59.631 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:00.401 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:00.916 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:02.020 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:02.580 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:03.038 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:03.191 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:03.800 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:03.807 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.489 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.501 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.512 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.543 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.572 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.583 dnssec: info: validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:05.063 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:05.554 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:12.480 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:25.724 dnssec: info: validating ntp.se/A: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.733 dnssec: info: validating ntp.se/A: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.809 dnssec: info: validating ntp.se/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.817 dnssec: info: validating ntp.se/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.866 dnssec: info: validating ntp.se/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.911 dnssec: info: validating ntp.se/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:31.217 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:44.155 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:45.943 dnssec: info: validating dash.cloudflare.com/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:45.961 dnssec: info: validating dash.cloudflare.com/A: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:45.992 dnssec: info: validating dash.cloudflare.com/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:46.000 dnssec: info: validating dash.cloudflare.com/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:47.328 dnssec: info: validating dev/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:04:07.738 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:04:35.668 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:05:10.903 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:05:24.419 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
This is going on for last 4-5 days… every day there are more errors for more domains… went thru logs and it seems this is where it started (logs from 28th & 30th only):
28-Jan-2020 20:33:47.532 dnssec: info: validating one/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 06:51:08.446 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:02.833 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:02.837 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:03.604 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:03.891 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:03.895 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:50:47.412 dnssec: info: validating am/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:50:47.417 dnssec: info: validating am/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 09:18:24.840 dnssec: info: validating mobi/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 09:48:07.246 dnssec: info: validating lt/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:10:40.144 dnssec: info: validating aco.net/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 16:10:40.289 dnssec: info: validating aco.net/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:10:40.658 dnssec: info: validating ts2.aco.net/A: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:43.357 dnssec: info: validating 4.1.1.0.0.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:45.232 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:45.773 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:46.144 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:46.735 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:47.875 dnssec: info: validating 6.0.1.0.0.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:48.203 dnssec: info: validating 6.0.1.0.0.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:48.977 dnssec: info: validating 6.0.1.0.0.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:49.568 dnssec: info: validating 6.0.1.0.0.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:50.908 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:51.653 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:36:17.298 dnssec: info: validating app.uriports.com/A: got insecure response; parent indicates it should be secure
30-Jan-2020 17:04:25.562 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 17:04:25.632 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 17:04:25.635 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:10.734 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:10.738 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:13.504 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:13.978 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:14.550 dnssec: info: validating aco.net/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:14.867 dnssec: info: validating aco.net/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:14.935 dnssec: info: validating aco.net/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:15.022 dnssec: info: validating ts2.aco.net/AAAA: got insecure response; parent indicates it should be secure
30-Jan-2020 18:26:03.898 dnssec: info: validating guru/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 18:26:03.943 dnssec: info: validating guru/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 18:26:04.061 dnssec: info: validating guru/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 18:26:04.065 dnssec: info: validating guru/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 19:01:46.245 dnssec: info: validating mobi/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 19:04:11.574 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 19:04:11.998 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 19:04:14.120 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 19:05:42.872 dnssec: info: validating aco.net/AAAA: got insecure response; parent indicates it should be secure
30-Jan-2020 19:14:25.010 dnssec: info: validating t-2.com/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 19:52:26.501 dnssec: info: validating sc/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 20:20:55.464 dnssec: info: validating in/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:07:12.520 dnssec: info: validating rootonline.de/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:07:12.582 dnssec: info: validating rootonline.de/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 21:07:12.687 dnssec: info: validating viewer-geolocation.twitch-ext.rootonline.de/AAAA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:30:01.495 dnssec: info: validating promo/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:30:01.625 dnssec: info: validating promo/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:30:02.121 dnssec: info: validating promo/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 21:30:02.513 dnssec: info: validating promo/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 22:49:42.586 dnssec: info: validating agency/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 23:10:29.451 dnssec: info: validating 143.221.in-addr.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:05.352 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:06.167 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:06.171 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:06.376 dnssec: info: validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:08.698 dnssec: info: validating 150.in-addr.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.766 dnssec: info: validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.829 dnssec: info: validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.982 dnssec: info: validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.990 dnssec: info: validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.998 dnssec: info: validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:46:42.503 dnssec: info: validating instant-gaming.com/SOA: got insecure response; parent indicates it should be secure
and if this helps, DNS over IPv4 uses Zagreb,Croatia datacenter and IPv6 uses Austrian one.