named validating @0x...: ... SOA: no valid signature found

Phil Mayers p.mayers at
Tue May 15 13:01:42 UTC 2012

On 15/05/12 13:22, Brian J. Murrell wrote:
> On 12-05-02 09:29 AM, Mark Andrews wrote:
>> * a firewall blocking EDNS queries.
>> * using a non DNSSEC enabled forwarder so you don't get signatures.
>> * a firewall blocking fragmented UDP and named falling back to
>>    plain DNS.
>> * other packet loss causing named to fallback to plain DNS.
> Given that I have confirmed EDNS works with:
> 	dig TXT
> 	dig TXT
> and that I don't have a firewall that would/should be dropping
> (properly) fragmented UDP[1] and I have no other indications of packet
> loss, are we looking at a bug in BIND9 to explain this (mis-)behavior?

Isn't it more likely it's a local problem?

Which version of bind are you running? Does *any* zone validate e.g. try:

dig +dnssec @localhost

...and you should see:

; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18199
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 11

Note the "ad" flag - "authenticated data".

More information about the bind-users mailing list