Stop of logging of No Valid Signature Found
Robert Moskowitz
rgm at htt-consult.com
Tue Feb 26 01:03:49 UTC 2013
On 02/25/2013 03:25 PM, Robert Moskowitz wrote:
>
> On 02/25/2013 02:33 PM, Robert Moskowitz wrote:
>>
>> On 02/25/2013 02:00 PM, Casey Deccio wrote:
>>> On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz
>>> <rgm at htt-consult.com <mailto:rgm at htt-consult.com>> wrote:
>>>
>>> Yes, I know lots of places don't have DNSSEC signed zones.
>>> **I** have not done mine yet, but I turned on DNSSEC checking
>>> on my server and I am getting all too many messages like:
>>>
>>> validating @0xb4247b50: 117.in-addr.arpa NSEC: no valid
>>> signature found: 1 Time(s)
>>> validating @0xb4247b50: 117.in-addr.arpa SOA: no valid
>>> signature found: 1 Time(s)
>>>
>>>
>>> Yes, but 117.in-addr.arpa *is* signed [1], so if you're not getting
>>> signatures, that's problematic.
>>
>> So that is not good. This is over port 53, right? I have that open
>> for udp and tcp. My general options section has:
>>
>> dnssec-enable yes;
>> dnssec-validation yes;
digging back in the archive here, I find out this should be
dnssec-validation auto;
And now I don't have all those false no valid sig messages and I can
look for the NEXT problem.
>> dnssec-lookaside auto;
>>
>> /* Path to ISC DLV key */
>> bindkeys-file "/etc/named.iscdlv.key";
>>
>> managed-keys-directory "/var/named/dynamic";
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130225/9a5004e0/attachment.html>
More information about the bind-users
mailing list