When dnssec-validation stops working?

John Marshall john.marshall at riverwillow.com.au
Mon Aug 17 02:43:18 UTC 2009

Yesterday one of our BIND 9.6.1-P1 servers started logging lots of
messages like the following - for a number of different domains - and
failing to resolve the corresponding names.

named[204]: no valid RRSIG resolving 'cvsup.au.freebsd.org/A/IN':

Please note that in the above instance, the zone in question is not
signed.  BIND was logging this error and returning SERVFAIL to the

I only noticed this this morning and spent a while trying to figure out
what was happening - to no avail.  The BIND server had been running for
over two weeks with this configuration with no problem but I wondered
if, perhaps, something had gone weird with dnssec-validation.  I decided
to re-start named and everything is happy again.

What should I do to troubleshoot this if it happens again?

I'm new at DNSSEC.  This server is the first one we have configured.
I have the following in the global configuration options:

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside . trust-anchor dlv.isc.org.;

I have the dlv.isc.org. key and the key for our only signed zone
(internal zone being served only via an internal view) in the
trusted-keys section of the configuration.

I'd be glad to be referred to any troubleshooting tips.

Thank you.

John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090817/28fc5df4/attachment.bin>

More information about the bind-users mailing list