DNSSEC:RRSIG validity period has not begun
Rajalakshmi R
RRajalakshmi at novell.com
Tue Oct 14 12:50:17 UTC 2008
Hi,
I am trying to configure DNSSEc. So far i have created a zone (raji.com) signed it with a ZSK only.On querying this authoritative server for DNSSEc data expected result is got and the RRSIG rrs are returned. However when i try to add a trusted anchor(the ZSK) to some non-authoritative server and try to query for raji.com,dig returns no answers. On analysis of the log it is seen that a response is got but the validation fails with the below message.
14-Oct-2008 17:16:34.386 received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62355
;; flags: qr aa rd cd ; QUESTION: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;raji.com. IN DNSKEY
;; ANSWER SECTION:
raji.com. 86400 IN DNSKEY 256 3 5 AwEAAe0rGK3esDcvfLXSqDtkPSuZAgVdBuzQxNYjMB3tt2x2YinBlt/Q 7bJanhr8IbUGe5IxfHEdMg7Q0tvx4PSx/XM667AovJJBo4isoXGz1iR5 bT6wdVaDyIMVcbVa225wn9Xbz+opTrO1++EPZ8MiCRGhg71xHduYQzBs YVVDFd1/
raji.com. 86400 IN RRSIG DNSKEY 5 2 86400 20081113142126 20081014142126 41667 raji.com. FR1WPQMiz6Jk/0rFYTYLIVxf5lGyXsIOIm5BjPlpIoVZwhDc7i/+Ckn6 UMdKLLor6jaDKfo8v3LdAWU3pbviZ3uERyvsTOhZ3ohayJhk8doCqsEM XhgcPbFKvsWTLY0zHctsa3BispIMBIa1QlEYp2qAeOD7KcMeISD/m4Me qGw=
;; AUTHORITY SECTION:
raji.com. 86400 IN NS ns2.smokeyjoe.com.
raji.com. 86400 IN NS ns1.raji.com.
raji.com. 86400 IN RRSIG NS 5 2 86400 20081113142126 20081014142126 41667 raji.com. gfdDOKOfHhsilmgu+324u1MCB1hr0T9gpU3L6NTAI3/kQYASo7+zPSCG mjHbd4O+D8/bdkt58ORqYHRwCcNLAeVSaf15Cvn4eS1F/zptFqSJNgy2 wHhhg+ReXDU4LKmzSamLDTMExA9RwNP2akbNKQ3CNelFbRfseeynpLBZ ADo=
;; ADDITIONAL SECTION:
ns1.raji.com. 86400 IN A 192.168.0.1
ns1.raji.com. 86400 IN RRSIG A 5 3 86400 20081113142126 20081014142126 41667 raji.com. 2ykoFHb8qJK0+cSQ/CPoNyZvrZZah5krxGWXeiYz3Ug438F3OaYYhV0v pLqfmXyVA5uhxL1nDazRi1VWDNqI2NtPG3bR759OCsZl9W1XgqpZ4v9u ywKezzyQl4Jdg9WSQUkNGOY1vyWnrxGop/QwaIRuuAgUZi1kZ0CS6pqQ aEc=
14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: starting
14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: attempting positive response validation
14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: verify rdataset (keyidA667): RRSIG validity period has not begun
14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches one of specified trusted-keys for 'raji.com'
can anyone help me out with this issue
Raji R
More information about the bind-users
mailing list