named validating @0x...: ... SOA: no valid signature found

Mark Andrews marka at isc.org
Fri Jul 20 23:16:26 UTC 2012


In message <500985C0.3000307 at interlinx.bc.ca>, "Brian J. Murrell" writes:
> On 12-07-20 11:40 AM, Mark Andrews wrote:
> >=20
> > In message <500978A5.4070109 at imperial.ac.uk>, Phil Mayers writes:
> >> On 20/07/12 16:21, Mark Andrews wrote:
> >>>
> >>> In message <50096C2B.1080806 at interlinx.bc.ca>, "Brian J. Murrell" wri=
> tes:
> >>>> Just for good measure, since I think I have posted this before, but =
> here
> >>>> are the options I have set in my bind configuration with regard to d=
> nssec=3D
> >>>> :
> >>>>
> >>>>          dnssec-enable yes;
> >>>>          dnssec-validation yes;
> >>>>          dnssec-lookaside auto;
> >=20
> > 	My bad.  "dnssec-validation auto;" is what I was thinking about.
> 
> Interesting.  Is "auto" for that value different/better than "yes",
> which I have configured already?
> 
> Cheers,
> b.

	"dnssec-validation auto;" tells named to use the compiled
	in root key in addition to enabling validation.  Depending
	on the version this is a plain trusted-key or a managed-key.

	If NS_SYSCONFDIR/bind.keys exists and is readable its contents
	override the built in contents.

	The root key(s) and dlv.isc.org key(s) are loaded from this
	file for dnssec-validation auto; and dnssec-lookaside auto;
	respectively.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list