When dnssec-validation stops working?

John Marshall john.marshall at riverwillow.com.au
Mon Aug 17 05:19:50 UTC 2009

On Sun, 16 Aug 2009, 23:39 -0400, Paul Wouters wrote:
> On Mon, 17 Aug 2009, John Marshall wrote:
> >named[204]: no valid RRSIG resolving 'cvsup.au.freebsd.org/A/IN': 
> >
> >What should I do to troubleshoot this if it happens again?
> First of all, try and dump the cache, using rndc dumpdb -all. This
> gets a snapshot of the current state of your nameservers. Debugging
> something a few hours later might look completely different in a DNS
> world.

Thanks.  After 1 hour of normal operation it went weird again.  I
generated a dump and took a copy of it.

> When doing dnssec queries that cause servfails, running the query
> with the Checking Disabled (CD) bit, might tell you a little bit
> more on what the named thinks it has. It's still a bit tricky to
> figure out things from that, eg "dig +dnssec +cd cvsup.au.freebsd.org."

Setting the cdflag resulted in a successful query.  No dnssec
information because the zone isn't signed.

> You can also use "drill" from the ldns package, to get some more
> information. In this case, running "drill -D -S cvsup.au.freebsd.org"
> would have been interesting, as it would go through all the parent
> records chasing where this supposed RRSIG came from.

Thanks for that.  Unfortunately, by the time I had downloaded and
installed drill, the server had "come good" - without a restart.

> Note that cvsup.au.freebsd.org is a CNAME to freebsd4.riverwillow.net.au.
> Was riverwillow.net.au the internal view zone you had signed?

riverwillow.net.au is an external (unsigned) zone.  Sorry for the
confusion.  I should have picked something completely unrelated as an

All of the many "problem" domain names live under .org.

John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090817/37515d72/attachment.bin>

More information about the bind-users mailing list