no valid signature found - but where do the queries come from?

lejeczek peljasz at yahoo.co.uk
Thu Jul 7 14:50:32 UTC 2016 

hi users,

I'm getting lot of below in log:

validating @0x7f53140149a0: 
ccnr-winsrv1.xxx.private.other.dom.my.dom A: bad cache hit 
(uk.my.dom/DS)
validating @0x7f5314015630: 
ccnr-winsrv1.xxx.private.other.dom.my.dom AAAA: bad cache 
hit (uk.my.dom/DS)
error (broken trust chain) resolving 
'ccnr-winsrv1.xxx.private.other.dom.my.dom/A/IN': 
192.168.2.100#53
error (broken trust chain) resolving 
'ccnr-winsrv1.xxx.private.other.dom.my.dom/AAAA/IN': 
192.168.2.100#53
   validating @0x7f52e4002650: my.dom SOA: no valid 
signature found
   validating @0x7f52e40032e0: my.dom SOA: no valid 
signature found
   validating @0x7f52e4002650: my.dom NSEC: no valid 
signature found
   validating @0x7f52e40032e0: my.dom NSEC: no valid 
signature found
   validating @0x7f52e4002650: swir.my.dom NSEC: no valid 
signature found
   validating @0x7f52e4002650: swir.my.dom NSEC: bad cache 
hit (swir.my.dom/DS)
   validating @0x7f52e40032e0: swir.my.dom NSEC: no valid 
signature found
   validating @0x7f52e40032e0: swir.my.dom NSEC: bad cache 
hit (swir.my.dom/DS)
validating @0x7f52e40016c0: 
ccnr-winsrv1.xxx.private.other.dom.my.dom AAAA: bad cache 
hit (uk.my.dom/DS)
validating @0x7f52e40008c0: 
ccnr-winsrv1.xxx.private.other.dom.my.dom A: bad cache hit 
(uk.my.dom/DS)
error (broken trust chain) resolving 
'ccnr-winsrv1.xxx.private.other.dom.my.dom/AAAA/IN': 
192.168.2.100#53
error (broken trust chain) resolving 
'ccnr-winsrv1.xxx.private.other.dom.my.dom/A/IN': 
192.168.2.100#53

it's on a server - serverB.xxx.private.other.com(9.9.4) - 
which forwards zone my.dom to serverA.my.dom (9.8.2rc1)

serverB is insecure whereas serverA.my.dom uses dnssec.

Firstly I'm hoping some experts could shed a bit light on 
what's happening with that frequency these get logged, every 
few seconds. Is it the dns itself of clients are actually 
nag the server so constantly - how to trace it? - trace 6 
and I cannot see anything.

Secondly, it must be configuration I thing, though I think 
it was ok some time ago, now - on serverB I do:

$ host swir.my.dom. 127.0.0.1 -vv
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

Host swir.my.dom not found: 2(SERVFAIL)

further I do:

$ dig +qr my.dom.

and nothing, then:

$ dig +qr my.dom. @192.168.2.100 (which is serverA)

and I see NS, A, also that from log a line:

validating @0x7f52e40016c0: 
ccnr-winsrv1.xxx.private.other.dom.my.dom AAAA: bad cache 
hit (uk.my.dom/DS)

here is my.dom(serverA) appended to 
private.other.dom(serverB) - what does it mean?

how, where to start troubleshooting?

many! thanks

More information about the bind-users mailing list