<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 02/25/2013 02:33 PM, Robert
Moskowitz wrote:<br>
</div>
<blockquote cite="mid:512BBC82.4080000@htt-consult.com" type="cite">
<meta http-equiv="Context-Type" content="text/html;
charset=ISO-8859-1">
<br>
<div class="moz-cite-prefix">On 02/25/2013 02:00 PM, Casey Deccio
wrote:<br>
</div>
<blockquote
cite="mid:CAEKtLiSLdsWZ8odu6LR+R=-O4sYuSAQVqfnaQMoe8cgyW5vG7Q@mail.gmail.com"
type="cite"> On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:rgm@htt-consult.com" target="_blank">rgm@htt-consult.com</a>></span>
wrote:<br>
<div class="gmail_quote">
<blockquote class="gmail_quote"> Yes, I know lots of places
don't have DNSSEC signed zones. **I** have not done mine
yet, but I turned on DNSSEC checking on my server and I am
getting all too many messages like:<br>
<br>
validating @0xb4247b50: 117.in-addr.arpa NSEC: no
valid signature found: 1 Time(s)<br>
validating @0xb4247b50: 117.in-addr.arpa SOA: no valid
signature found: 1 Time(s)<br>
</blockquote>
<div><br>
Yes, but 117.in-addr.arpa *is* signed [1], so if you're not
getting signatures, that's problematic.<br>
</div>
</div>
</blockquote>
<br>
So that is not good. This is over port 53, right? I have that
open for udp and tcp. My general options section has:<br>
<br>
dnssec-enable yes;<br>
dnssec-validation yes;<br>
dnssec-lookaside auto;<br>
<br>
/* Path to ISC DLV key */<br>
bindkeys-file "/etc/named.iscdlv.key";<br>
<br>
managed-keys-directory "/var/named/dynamic";<br>
<br>
<br>
<blockquote
cite="mid:CAEKtLiSLdsWZ8odu6LR+R=-O4sYuSAQVqfnaQMoe8cgyW5vG7Q@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote"> How can I stop the logging of
only " no valid signature found"? So I can watch for more
meaningful events and not so quickly grow /var/log/messages?<br>
</blockquote>
<div><br>
Logging can be tuned on a per-category (e.g., DNSSEC) basis,
including the location to which log messages are sent (e.g.,
file, syslog, etc.). See the section on logging in the BIND
9 Configuration Reference for more information on how to do
this [2].<br>
</div>
</div>
</blockquote>
<br>
thanks I will read this AFTER I find out why I am not getting the
signature. Perhaps I should check to see if I am getting any
sigs? How might I do that?<br>
</blockquote>
<br>
Well I am not getting this sig authenticated. Per offlist
instructions I did (and got no aa flag):<br>
<br>
dig +dnssec 117.in-addr.arpa ptr<br>
<br>
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6
<<>> +dnssec 117.in-addr.arpa ptr<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
34757<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 4096<br>
;; QUESTION SECTION:<br>
;117.in-addr.arpa. IN PTR<br>
<br>
;; AUTHORITY SECTION:<br>
117.in-addr.arpa. 10800 IN SOA ns1.apnic.net.
read-txt-record-of-zone-first-dns-admin.apnic.net. 3006077576 7200
1800 604800 172800<br>
117.in-addr.arpa. 10800 IN RRSIG SOA 5 3 172800
20130327180149 20130225170149 31261 117.in-addr.arpa.
bC/xkWAsZ9+NdEMshdBQKqE4Xkdvjnwtqquvbl2142Og64XkgplTlrB8
gMgCGxeorXpzvPJDsCfhlpXWsq2ck+qSSvOEJeOEt88BBumMAO1Bc46k
klXmQ4+eckbnWEwrpk4nkG+3K8lbAgZZjSPiVpbu4klfRyZ+T45EnZx0 oJc=<br>
117.in-addr.arpa. 10800 IN RRSIG NSEC 5 3 172800
20130327180149 20130225170149 31261 117.in-addr.arpa.
LIxMYOMIW8eTRACvq02vqMrhSk7tX8Az2gahOJ5jYCUvGDzsTtcm7ub+
qyWADcklsVi3hiWHnSzAPTIrO6WIrxj/wZl/5m5QTOK38Ml4ut0FFkK+
4qujylUJ8+3mmPbTbTIe6gdB8Lv/6pV2rZy1pDm1TxhGykwG82v+1R2E +88=<br>
117.in-addr.arpa. 10800 IN NSEC 0.117.in-addr.arpa. NS
SOA TXT RRSIG NSEC DNSKEY<br>
<br>
;; Query time: 207 msec<br>
;; SERVER: 208.83.67.148#53(208.83.67.148)<br>
;; WHEN: Mon Feb 25 15:16:54 2013<br>
;; MSG SIZE rcvd: 527<br>
<br>
<br>
</body>
</html>