Stop of logging of No Valid Signature Found
Robert Moskowitz
rgm at htt-consult.com
Mon Feb 25 20:25:58 UTC 2013
On 02/25/2013 02:33 PM, Robert Moskowitz wrote:
>
> On 02/25/2013 02:00 PM, Casey Deccio wrote:
>> On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz
>> <rgm at htt-consult.com <mailto:rgm at htt-consult.com>> wrote:
>>
>> Yes, I know lots of places don't have DNSSEC signed zones. **I**
>> have not done mine yet, but I turned on DNSSEC checking on my
>> server and I am getting all too many messages like:
>>
>> validating @0xb4247b50: 117.in-addr.arpa NSEC: no valid
>> signature found: 1 Time(s)
>> validating @0xb4247b50: 117.in-addr.arpa SOA: no valid
>> signature found: 1 Time(s)
>>
>>
>> Yes, but 117.in-addr.arpa *is* signed [1], so if you're not getting
>> signatures, that's problematic.
>
> So that is not good. This is over port 53, right? I have that open
> for udp and tcp. My general options section has:
>
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
>
> /* Path to ISC DLV key */
> bindkeys-file "/etc/named.iscdlv.key";
>
> managed-keys-directory "/var/named/dynamic";
>
>
>> How can I stop the logging of only " no valid signature found"?
>> So I can watch for more meaningful events and not so quickly
>> grow /var/log/messages?
>>
>>
>> Logging can be tuned on a per-category (e.g., DNSSEC) basis,
>> including the location to which log messages are sent (e.g., file,
>> syslog, etc.). See the section on logging in the BIND 9
>> Configuration Reference for more information on how to do this [2].
>
> thanks I will read this AFTER I find out why I am not getting the
> signature. Perhaps I should check to see if I am getting any sigs?
> How might I do that?
Well I am not getting this sig authenticated. Per offlist instructions
I did (and got no aa flag):
dig +dnssec 117.in-addr.arpa ptr
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> +dnssec
117.in-addr.arpa ptr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34757
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;117.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
117.in-addr.arpa. 10800 IN SOA ns1.apnic.net.
read-txt-record-of-zone-first-dns-admin.apnic.net. 3006077576 7200 1800
604800 172800
117.in-addr.arpa. 10800 IN RRSIG SOA 5 3 172800
20130327180149 20130225170149 31261 117.in-addr.arpa.
bC/xkWAsZ9+NdEMshdBQKqE4Xkdvjnwtqquvbl2142Og64XkgplTlrB8
gMgCGxeorXpzvPJDsCfhlpXWsq2ck+qSSvOEJeOEt88BBumMAO1Bc46k
klXmQ4+eckbnWEwrpk4nkG+3K8lbAgZZjSPiVpbu4klfRyZ+T45EnZx0 oJc=
117.in-addr.arpa. 10800 IN RRSIG NSEC 5 3 172800
20130327180149 20130225170149 31261 117.in-addr.arpa.
LIxMYOMIW8eTRACvq02vqMrhSk7tX8Az2gahOJ5jYCUvGDzsTtcm7ub+
qyWADcklsVi3hiWHnSzAPTIrO6WIrxj/wZl/5m5QTOK38Ml4ut0FFkK+
4qujylUJ8+3mmPbTbTIe6gdB8Lv/6pV2rZy1pDm1TxhGykwG82v+1R2E +88=
117.in-addr.arpa. 10800 IN NSEC 0.117.in-addr.arpa. NS SOA
TXT RRSIG NSEC DNSKEY
;; Query time: 207 msec
;; SERVER: 208.83.67.148#53(208.83.67.148)
;; WHEN: Mon Feb 25 15:16:54 2013
;; MSG SIZE rcvd: 527
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130225/dfd68d94/attachment.html>
More information about the bind-users
mailing list