named validating @0x...: ... SOA: no valid signature found

Brian J. Murrell brian at
Sun May 6 14:13:49 UTC 2012

On 12-05-02 09:29 AM, Mark Andrews wrote:
> The zones are signed.  Possible reason are:
> * a firewall blocking EDNS queries.

This shouldn't be the case.  Outgoing traffic from the bind9 server
being used here should be completely unfettered.

> * using a non DNSSEC enabled forwarder so you don't get signatures.

I believe my forwarder (bind9 server) is DNSSEC enabled:

options {
        // enable DNSSEC
        dnssec-enable yes;
        dnssec-validation yes;
        // as of 9.7, use "auto" instead
        // dnssec-lookaside . trust-anchor;
        dnssec-lookaside auto;


> * a firewall blocking fragmented UDP and named falling back to
>   plain DNS.

Again, the firewall should be allowing bind9 to do whatever it wants.

> * other packet loss causing named to fallback to plain DNS.

I'm not seeing any evidence of that here otherwise.

Can you prescribe any tests that I can do to [dis-]prove any of the
above theories?

Cheers and much thanks,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the bind-users mailing list