When dnssec-validation stops working?
paul at xelerance.com
Mon Aug 17 03:39:59 UTC 2009
On Mon, 17 Aug 2009, John Marshall wrote:
> named: no valid RRSIG resolving 'cvsup.au.freebsd.org/A/IN': 220.127.116.11#53
> What should I do to troubleshoot this if it happens again?
First of all, try and dump the cache, using rndc dumpdb -all. This
gets a snapshot of the current state of your nameservers. Debugging
something a few hours later might look completely different in a DNS
When doing dnssec queries that cause servfails, running the query
with the Checking Disabled (CD) bit, might tell you a little bit
more on what the named thinks it has. It's still a bit tricky to
figure out things from that, eg "dig +dnssec +cd cvsup.au.freebsd.org."
You can also use "drill" from the ldns package, to get some more
information. In this case, running "drill -D -S cvsup.au.freebsd.org"
would have been interesting, as it would go through all the parent
records chasing where this supposed RRSIG came from.
Note that cvsup.au.freebsd.org is a CNAME to freebsd4.riverwillow.net.au.
Was riverwillow.net.au the internal view zone you had signed?
More information about the bind-users