named validating @0x...: ... SOA: no valid signature found
Brian J. Murrell
brian at interlinx.bc.ca
Sun May 6 14:13:49 UTC 2012
On 12-05-02 09:29 AM, Mark Andrews wrote:
>
>
> The zones are signed. Possible reason are:
>
> * a firewall blocking EDNS queries.
This shouldn't be the case. Outgoing traffic from the bind9 server
being used here should be completely unfettered.
> * using a non DNSSEC enabled forwarder so you don't get signatures.
I believe my forwarder (bind9 server) is DNSSEC enabled:
options {
...
// enable DNSSEC
dnssec-enable yes;
dnssec-validation yes;
// as of 9.7, use "auto" instead
// dnssec-lookaside . trust-anchor dlv.isc.org.;
dnssec-lookaside auto;
};
> * a firewall blocking fragmented UDP and named falling back to
> plain DNS.
Again, the firewall should be allowing bind9 to do whatever it wants.
> * other packet loss causing named to fallback to plain DNS.
I'm not seeing any evidence of that here otherwise.
Can you prescribe any tests that I can do to [dis-]prove any of the
above theories?
Cheers and much thanks,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120506/45ec1d44/attachment.bin>
More information about the bind-users
mailing list