bind 9.8.2 "no valid signature found"

Jim Garrison jhg at
Thu Jan 26 06:35:43 UTC 2017

Running CentOS 6.8 with bind-9.8.2-0.47.rc1.el6_8.4.x86_64

I'm getting lots of log messages of the form

Jan 25 22:11:55 janus named[10123]: validating @0x7f51084b6450: A: no valid signature found

CloudFlare's DNSSEC seems to be OK according to and

Looking at the traffic with Wireshark, I see the RRSIG uses
ECDSA Curve P-256 with SHA-256.  Should bind 9.8.2 be able to
recognize that algorithm or is a newer version of bind needed?

Output of named -V (Is the OpenSSL version to blame?)

BIND 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 built with
'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
using libxml2 version: 2.7.6

Jim Garrison (jhg at
PGP Keys at RSA 0x04B73B7F DH 0x70738D88

More information about the bind-users mailing list