Stop of logging of No Valid Signature Found

Robert Moskowitz rgm at htt-consult.com
Mon Feb 25 19:33:22 UTC 2013


On 02/25/2013 02:00 PM, Casey Deccio wrote:
> On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz <rgm at htt-consult.com 
> <mailto:rgm at htt-consult.com>> wrote:
>
>     Yes, I know lots of places don't have DNSSEC signed zones.  **I**
>     have not done mine yet, but I turned on DNSSEC checking on my
>     server and I am getting all too many messages like:
>
>           validating @0xb4247b50: 117.in-addr.arpa NSEC: no valid
>     signature found: 1 Time(s)
>           validating @0xb4247b50: 117.in-addr.arpa SOA: no valid
>     signature found: 1 Time(s)
>
>
> Yes, but 117.in-addr.arpa *is* signed [1], so if you're not getting 
> signatures, that's problematic.

So that is not good.  This is over port 53, right?  I have that open for 
udp and tcp.  My general options section has:

     dnssec-enable yes;
     dnssec-validation yes;
     dnssec-lookaside auto;

     /* Path to ISC DLV key */
     bindkeys-file "/etc/named.iscdlv.key";

     managed-keys-directory "/var/named/dynamic";


>     How can I stop the logging of only " no valid signature found"?
>      So I can watch for more meaningful events and not so quickly grow
>     /var/log/messages?
>
>
> Logging can be tuned on a per-category (e.g., DNSSEC) basis, including 
> the location to which log messages are sent (e.g., file, syslog, 
> etc.).  See the section on logging in the BIND 9 Configuration 
> Reference for more information on how to do this [2].

thanks I will read this AFTER I find out why I am not getting the 
signature.  Perhaps I should check to see if I am getting any sigs? How 
might I do that?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130225/1f5df65d/attachment.html>


More information about the bind-users mailing list