Stop of logging of No Valid Signature Found
Robert Moskowitz
rgm at htt-consult.com
Tue Feb 26 01:29:45 UTC 2013
On 02/25/2013 08:15 PM, Mark Andrews wrote:
> In message <512C09F5.4040400 at htt-consult.com>, Robert Moskowitz writes:
>> On 02/25/2013 03:25 PM, Robert Moskowitz wrote:
>>> On 02/25/2013 02:33 PM, Robert Moskowitz wrote:
>>>> On 02/25/2013 02:00 PM, Casey Deccio wrote:
>>>>> On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz
>>>>> <rgm at htt-consult.com <mailto:rgm at htt-consult.com>> wrote:
>>>>>
>>>>> Yes, I know lots of places don't have DNSSEC signed zones.
>>>>> **I** have not done mine yet, but I turned on DNSSEC checking
>>>>> on my server and I am getting all too many messages like:
>>>>>
>>>>> validating @0xb4247b50: 117.in-addr.arpa NSEC: no valid
>>>>> signature found: 1 Time(s)
>>>>> validating @0xb4247b50: 117.in-addr.arpa SOA: no valid
>>>>> signature found: 1 Time(s)
>>>>>
>>>>>
>>>>> Yes, but 117.in-addr.arpa *is* signed [1], so if you're not getting
>>>>> signatures, that's problematic.
>>>> So that is not good. This is over port 53, right? I have that open
>>>> for udp and tcp. My general options section has:
>>>>
>>>> dnssec-enable yes;
>>>> dnssec-validation yes;
>> digging back in the archive here, I find out this should be
>>
>> dnssec-validation auto;
> Actually it can be either. It's all a matter of how you want to
> setup your trust anchors. For private root zones it is absolutely
> the wrong thing to do.
I got this from some old messages from you on the subject of "no valid
signature".
Perhaps tieing into my using the builtin root hints rather than
explicitly including a root.hint stub?
Like the other person, once I changed from 'yes' to 'auto' I stopped
logging these messages so I ASSuME that now all those zones are being
validated.
No private root zones here. At least that I know of!
More information about the bind-users
mailing list