When dnssec-validation stops working?

Paul Wouters paul at xelerance.com
Mon Aug 17 03:39:59 UTC 2009


On Mon, 17 Aug 2009, John Marshall wrote:

> named[204]: no valid RRSIG resolving 'cvsup.au.freebsd.org/A/IN': 123.136.33.242#53

> What should I do to troubleshoot this if it happens again?

First of all, try and dump the cache, using rndc dumpdb -all. This
gets a snapshot of the current state of your nameservers. Debugging
something a few hours later might look completely different in a DNS
world.

When doing dnssec queries that cause servfails, running the query
with the Checking Disabled (CD) bit, might tell you a little bit
more on what the named thinks it has. It's still a bit tricky to
figure out things from that, eg "dig +dnssec +cd cvsup.au.freebsd.org."

You can also use "drill" from the ldns package, to get some more
information. In this case, running "drill -D -S cvsup.au.freebsd.org"
would have been interesting, as it would go through all the parent
records chasing where this supposed RRSIG came from.

Note that cvsup.au.freebsd.org is a CNAME to freebsd4.riverwillow.net.au.
Was riverwillow.net.au the internal view zone you had signed?

Paul



More information about the bind-users mailing list