When dnssec-validation stops working?
John Marshall
john.marshall at riverwillow.com.au
Mon Aug 17 05:19:50 UTC 2009
On Sun, 16 Aug 2009, 23:39 -0400, Paul Wouters wrote:
> On Mon, 17 Aug 2009, John Marshall wrote:
>
> >named[204]: no valid RRSIG resolving 'cvsup.au.freebsd.org/A/IN':
> >123.136.33.242#53
>
> >What should I do to troubleshoot this if it happens again?
>
> First of all, try and dump the cache, using rndc dumpdb -all. This
> gets a snapshot of the current state of your nameservers. Debugging
> something a few hours later might look completely different in a DNS
> world.
Thanks. After 1 hour of normal operation it went weird again. I
generated a dump and took a copy of it.
> When doing dnssec queries that cause servfails, running the query
> with the Checking Disabled (CD) bit, might tell you a little bit
> more on what the named thinks it has. It's still a bit tricky to
> figure out things from that, eg "dig +dnssec +cd cvsup.au.freebsd.org."
Setting the cdflag resulted in a successful query. No dnssec
information because the zone isn't signed.
> You can also use "drill" from the ldns package, to get some more
> information. In this case, running "drill -D -S cvsup.au.freebsd.org"
> would have been interesting, as it would go through all the parent
> records chasing where this supposed RRSIG came from.
Thanks for that. Unfortunately, by the time I had downloaded and
installed drill, the server had "come good" - without a restart.
> Note that cvsup.au.freebsd.org is a CNAME to freebsd4.riverwillow.net.au.
> Was riverwillow.net.au the internal view zone you had signed?
riverwillow.net.au is an external (unsigned) zone. Sorry for the
confusion. I should have picked something completely unrelated as an
example.
All of the many "problem" domain names live under .org.
--
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090817/37515d72/attachment.bin>
More information about the bind-users
mailing list