proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?

dchilton+bind at dchilton+bind at
Tue May 10 14:39:42 UTC 2011


> > not sure how to read that.  now that my time's correct again, can/should
> > I leave the server as is?  or is there a specific recommendation for
> > time setup on a DNS server?

On Tue, 10 May 2011 16:58 +1000, "Mark Andrews" <marka at> wrote:
> "date -u" may now be correct but is plain "date"?   If it isn't you
> should correct timezone for the server so that both "date" and "date
> -u" are correct.  Otherwise you leave the server open to the
> accidental misconfiguration that probably caused this problem in
> the first place.

On Tue, 10 May 2011 10:37 +0100, "Phil Mayers" <p.mayers at>
> On 05/10/2011 07:58 AM, Mark Andrews wrote:
> Also, depending on your OS, check what timezone the hardware (bios) 
> clock is stored in, and when you next reboot the server, check that it 
> pushes OS time -> hardware time correctly, and reads it back correctly 
> on startup.

thanks for the pointers. hwclock was wrong, too.

after setting  HWCLOCK=-u" in '/etc/sysconfig/clock', after reboot,
'date', 'date -u', and 'hwclock' all now track correctly, and

grep valid /etc/named.conf
  dnssec-validation yes; 
dig | egrep "^|WHEN"          3398    IN      CNAME
  ;; WHEN: Tue May 10 07:37:31 2011

still works, and @ the correct time! lessons learned ...

thanks again,


More information about the bind-users mailing list