Stop of logging of No Valid Signature Found

Robert Moskowitz rgm at htt-consult.com
Tue Feb 26 02:07:39 UTC 2013


On 02/25/2013 08:38 PM, Mark Andrews wrote:
> In message <512C1009.4060404 at htt-consult.com>, Robert Moskowitz writes:
>>>>>>       dnssec-enable yes;
>>>>>>       dnssec-validation yes;
>>>> digging back in the archive here, I find out this should be
>>>>
>>>>        dnssec-validation auto;
>>> Actually it can be either.  It's all a matter of how you want to
>>> setup your trust anchors.  For private root zones it is absolutely
>>> the wrong thing to do.
>> I got this from some old messages from you on the subject of "no valid
>> signature".
>>
>> Perhaps tieing into my using the builtin root hints rather than
>> explicitly including a root.hint stub?
>>
>> Like the other person, once I changed from 'yes' to 'auto' I stopped
>> logging these messages so I ASSuME that now all those zones are being
>> validated.
>>
>> No private root zones here.  At least that I know of!
> dnssec-validation auto; adds a implicit managed-keys clause for the
> root.  If you just do dnssec-validation yes; you need to add a
> explict trusted-keys / managed-keys clause.
>
> managed-keys {
>          . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
> };

Yes, I wondered about this as I have the include:

     bindkeys-file "/etc/named.iscdlv.key";

which contains:

managed-keys {
     # ISC DLV: See https://www.isc.org/solutions/dlv for details.
         # NOTE: This key is activated by setting "dnssec-lookaside auto;"
         # in named.conf.
     dlv.isc.org. initial-key 257 3 5 
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
         brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
         1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
         ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
         Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
         QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
         TDN0YUuWrBNh";

     # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
     # for current trust anchor information.
         # NOTE: This key is activated by setting "dnssec-validation auto;"
         # in named.conf.
     . initial-key 257 3 8 
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
         FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
         bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
         X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
         W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
         Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
         QxA+Uk1ihz0=";
};

So why did this not work?

> If you have islands of trust you will need to have managed/trusted
> keys for them.  It is also a good idea to have managed/trusted keys
> for your internal zones so you are not dependent on external zones
> for internal lookups when your internet connection goes down.

I know I need to tackle my internal view.  After I put up the new 
server, I built a test server for only a few internal systems to use.  I 
will work on my internal view there, and then bring that over to my main 
server.

One step at a time.  Or maybe two or three?





More information about the bind-users mailing list