Stop of logging of No Valid Signature Found

Robert Moskowitz rgm at htt-consult.com
Tue Feb 26 01:03:49 UTC 2013


On 02/25/2013 03:25 PM, Robert Moskowitz wrote:
>
> On 02/25/2013 02:33 PM, Robert Moskowitz wrote:
>>
>> On 02/25/2013 02:00 PM, Casey Deccio wrote:
>>> On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz 
>>> <rgm at htt-consult.com <mailto:rgm at htt-consult.com>> wrote:
>>>
>>>     Yes, I know lots of places don't have DNSSEC signed zones.
>>>      **I** have not done mine yet, but I turned on DNSSEC checking
>>>     on my server and I am getting all too many messages like:
>>>
>>>           validating @0xb4247b50: 117.in-addr.arpa NSEC: no valid
>>>     signature found: 1 Time(s)
>>>           validating @0xb4247b50: 117.in-addr.arpa SOA: no valid
>>>     signature found: 1 Time(s)
>>>
>>>
>>> Yes, but 117.in-addr.arpa *is* signed [1], so if you're not getting 
>>> signatures, that's problematic.
>>
>> So that is not good.  This is over port 53, right?  I have that open 
>> for udp and tcp.  My general options section has:
>>
>>     dnssec-enable yes;
>>     dnssec-validation yes;

digging back in the archive here, I find out this should be

     dnssec-validation auto;

And now I don't have all those false no valid sig messages and I can 
look for the NEXT problem.

>>     dnssec-lookaside auto;
>>
>>     /* Path to ISC DLV key */
>>     bindkeys-file "/etc/named.iscdlv.key";
>>
>>     managed-keys-directory "/var/named/dynamic";
>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130225/9a5004e0/attachment.html>


More information about the bind-users mailing list