named validating @0x...: ... SOA: no valid signature found
marka at isc.org
Fri Jul 20 23:16:26 UTC 2012
In message <500985C0.3000307 at interlinx.bc.ca>, "Brian J. Murrell" writes:
> On 12-07-20 11:40 AM, Mark Andrews wrote:
> > In message <500978A5.4070109 at imperial.ac.uk>, Phil Mayers writes:
> >> On 20/07/12 16:21, Mark Andrews wrote:
> >>> In message <50096C2B.1080806 at interlinx.bc.ca>, "Brian J. Murrell" wri=
> >>>> Just for good measure, since I think I have posted this before, but =
> >>>> are the options I have set in my bind configuration with regard to d=
> >>>> :
> >>>> dnssec-enable yes;
> >>>> dnssec-validation yes;
> >>>> dnssec-lookaside auto;
> > My bad. "dnssec-validation auto;" is what I was thinking about.
> Interesting. Is "auto" for that value different/better than "yes",
> which I have configured already?
"dnssec-validation auto;" tells named to use the compiled
in root key in addition to enabling validation. Depending
on the version this is a plain trusted-key or a managed-key.
If NS_SYSCONFDIR/bind.keys exists and is readable its contents
override the built in contents.
The root key(s) and dlv.isc.org key(s) are loaded from this
file for dnssec-validation auto; and dnssec-lookaside auto;
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users