DNSSEC:RRSIG validity period has not begun

Rajalakshmi R RRajalakshmi at novell.com
Tue Oct 14 12:50:17 UTC 2008 

Hi, 
 I am trying to configure DNSSEc. So far i have created a zone (raji.com) signed it with a ZSK only.On querying this authoritative server for DNSSEc data expected result is got and the RRSIG rrs are returned. However when i try to add a trusted anchor(the ZSK) to some non-authoritative server  and try to query for raji.com,dig returns no answers. On analysis of the log it is seen that a response is got but the validation fails with the below message. 
14-Oct-2008 17:16:34.386 received packet: 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  62355 
;; flags: qr aa rd cd ; QUESTION: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3 
;; OPT PSEUDOSECTION: 
; EDNS: version: 0, flags: do; udp: 4096 
;; QUESTION SECTION: 
;raji.com.                      IN      DNSKEY 

;; ANSWER SECTION: 
raji.com.               86400   IN      DNSKEY  256 3 5 AwEAAe0rGK3esDcvfLXSqDtkPSuZAgVdBuzQxNYjMB3tt2x2YinBlt/Q 7bJanhr8IbUGe5IxfHEdMg7Q0tvx4PSx/XM667AovJJBo4isoXGz1iR5 bT6wdVaDyIMVcbVa225wn9Xbz+opTrO1++EPZ8MiCRGhg71xHduYQzBs YVVDFd1/ 
raji.com.               86400   IN      RRSIG   DNSKEY 5 2 86400 20081113142126 20081014142126 41667 raji.com. FR1WPQMiz6Jk/0rFYTYLIVxf5lGyXsIOIm5BjPlpIoVZwhDc7i/+Ckn6 UMdKLLor6jaDKfo8v3LdAWU3pbviZ3uERyvsTOhZ3ohayJhk8doCqsEM XhgcPbFKvsWTLY0zHctsa3BispIMBIa1QlEYp2qAeOD7KcMeISD/m4Me qGw= 

;; AUTHORITY SECTION: 
raji.com.               86400   IN      NS      ns2.smokeyjoe.com. 
raji.com.               86400   IN      NS      ns1.raji.com. 
raji.com.               86400   IN      RRSIG   NS 5 2 86400 20081113142126 20081014142126 41667 raji.com. gfdDOKOfHhsilmgu+324u1MCB1hr0T9gpU3L6NTAI3/kQYASo7+zPSCG mjHbd4O+D8/bdkt58ORqYHRwCcNLAeVSaf15Cvn4eS1F/zptFqSJNgy2 wHhhg+ReXDU4LKmzSamLDTMExA9RwNP2akbNKQ3CNelFbRfseeynpLBZ ADo= 

;; ADDITIONAL SECTION: 
ns1.raji.com.           86400   IN      A       192.168.0.1 
ns1.raji.com.           86400   IN      RRSIG   A 5 3 86400 20081113142126 20081014142126 41667 raji.com. 2ykoFHb8qJK0+cSQ/CPoNyZvrZZah5krxGWXeiYz3Ug438F3OaYYhV0v pLqfmXyVA5uhxL1nDazRi1VWDNqI2NtPG3bR759OCsZl9W1XgqpZ4v9u ywKezzyQl4Jdg9WSQUkNGOY1vyWnrxGop/QwaIRuuAgUZi1kZ0CS6pqQ aEc= 


14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: starting 
14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: attempting positive response validation 
14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: verify rdataset (keyidA667): RRSIG validity period has not begun 
14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches one of specified trusted-keys for 'raji.com' 

can anyone help me out with this issue 

Raji R

More information about the bind-users mailing list