
<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <br>

    <div class="moz-cite-prefix">On 02/25/2013 03:25 PM, Robert

      Moskowitz wrote:<br>

    </div>

    <blockquote cite="mid:512BC8D6.2030806@htt-consult.com" type="cite">

      <meta http-equiv="Context-Type" content="text/html;

        charset=ISO-8859-1">

      <br>

      <div class="moz-cite-prefix">On 02/25/2013 02:33 PM, Robert

        Moskowitz wrote:<br>

      </div>

      <blockquote cite="mid:512BBC82.4080000@htt-consult.com"

        type="cite"> <br>

        <div class="moz-cite-prefix">On 02/25/2013 02:00 PM, Casey

          Deccio wrote:<br>

        </div>

        <blockquote

cite="mid:CAEKtLiSLdsWZ8odu6LR+R=-O4sYuSAQVqfnaQMoe8cgyW5vG7Q@mail.gmail.com"

          type="cite"> On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz

          <span dir="ltr"><<a moz-do-not-send="true"

              href="mailto:rgm@htt-consult.com" target="_blank">rgm@htt-consult.com</a>></span>

          wrote:<br>

          <div class="gmail_quote">

            <blockquote class="gmail_quote"> Yes, I know lots of places

              don't have DNSSEC signed zones.  **I** have not done mine

              yet, but I turned on DNSSEC checking on my server and I am

              getting all too many messages like:<br>

              <br>

                    validating @0xb4247b50: 117.in-addr.arpa NSEC: no

              valid signature found: 1 Time(s)<br>

                    validating @0xb4247b50: 117.in-addr.arpa SOA: no

              valid signature found: 1 Time(s)<br>

            </blockquote>

            <div><br>

              Yes, but 117.in-addr.arpa *is* signed [1], so if you're

              not getting signatures, that's problematic.<br>

            </div>

          </div>

        </blockquote>

        <br>

        So that is not good.  This is over port 53, right?  I have that

        open for udp and tcp.  My general options section has:<br>

        <br>

            dnssec-enable yes;<br>

            dnssec-validation yes;<br>

      </blockquote>

    </blockquote>

    <br>

    digging back in the archive here, I find out this should be<br>

    <br>

        dnssec-validation auto;<br>

    <br>

    And now I don't have all those false no valid sig messages and I can

    look for the NEXT problem.<br>

    <br>

    <blockquote cite="mid:512BC8D6.2030806@htt-consult.com" type="cite">

      <blockquote cite="mid:512BBC82.4080000@htt-consult.com"

        type="cite">     dnssec-lookaside auto;<br>

        <br>

            /* Path to ISC DLV key */<br>

            bindkeys-file "/etc/named.iscdlv.key";<br>

        <br>

            managed-keys-directory "/var/named/dynamic";<br>

        <br>

        <br>

      </blockquote>

    </blockquote>

    <br>

  </body>

</html>