bind 9.8.2 "no valid signature found"

[Jim Garrison]

Running CentOS 6.8 with bind-9.8.2-0.47.rc1.el6_8.4.x86_64

I'm getting lots of log messages of the form

Jan 25 22:11:55 janus named[10123]: validating @0x7f51084b6450:
cloudflare.com A: no valid signature found

CloudFlare's DNSSEC seems to be OK according to
http://dnssec-debugger.verisignlabs.com/cloudflare.net and
http://dnsviz.net/d/cloudflare.net/dnssec/

Looking at the traffic with Wireshark, I see the RRSIG uses
ECDSA Curve P-256 with SHA-256.  Should bind 9.8.2 be able to
recognize that algorithm or is a newer version of bind needed?

Output of named -V (Is the OpenSSL version to blame?)

BIND 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 built with
'--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu'
'--target=x86_64-redhat-linux-gnu'
'--program-prefix='
'--prefix=/usr'
'--exec-prefix=/usr'
'--bindir=/usr/bin'
'--sbindir=/usr/sbin'
'--sysconfdir=/etc'
'--datadir=/usr/share'
'--includedir=/usr/include'
'--libdir=/usr/lib64'
'--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib'
'--mandir=/usr/share/man'
'--infodir=/usr/share/info'
'--with-libtool'
'--localstatedir=/var'
'--enable-threads'
'--enable-ipv6'
'--enable-filter-aaaa'
'--with-pic'
'--disable-static'
'--disable-openssl-version-check'
'--enable-rpz-nsip'
'--enable-rpz-nsdname'
'--with-dlopen=yes'
'--with-dlz-ldap=yes'
'--with-dlz-postgres=yes'
'--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes'
'--with-gssapi=yes'
'--disable-isc-spnego'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-fixed-rrset'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu'
'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
'CPPFLAGS= -DDIG_SIGCHASE'

using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
using libxml2 version: 2.7.6


-- 
Jim Garrison (jhg at acm.org)
PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88