dnssec-enable made named stop working

Leandro ingrogger at gmail.com
Tue Jul 14 21:14:04 UTC 2015


Suddenly   server stop working ; on logs following messages appeared :

alidating @0x7f2c60591400: . NS: got insecure response; parent indicates 
it should be secure
error (insecurity proof failed) resolving './NS/IN': 199.7.83.42#53
validating @0x7f2c60528430: net SOA: verify failed due to bad signature 
(keyid=48497): RRSIG validity period has not begun
validating @0x7f2c60528430: net SOA: no valid signature found
After add
dnssec-enable = no ;
and restart the server, it began working again.


a)Why did it happen if server was already working ?
In my original named.conf I had default settings like this:
the include statement:
include "/etc/named.root.key";
and the file named.root.key containing:

managed-keys {
     # DNSKEY for the root zone.
     # Updates are published on root-dnssec-announce at icann.org
     . initial-key 257 3 8 
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF 
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX 
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD 
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz 
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS 
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
};

b) Is it bad practice  to disable dnssec option ?
c) Which is a good practice about dnssec use ?
e) Named using dnssec have problems very often ?
c) Using dnssec will decrease server performance ?


Sorry for the questions battery butIm very concerned about it, my server 
was ready to go on production but now I have to figure out this issue.
I am reading some docs and researching about this.
Any comments or thought  would be wellcome
Leandro.









More information about the bind-users mailing list