Yesterday one of our BIND 9.6.1-P1 servers started logging lots of messages like the following - for a number of different domains - and failing to resolve the corresponding names.
named[204]: no valid RRSIG resolving 'cvsup.au.freebsd.org/A/IN': 123.136.33.242#53 Please note that in the above instance, the zone in question is not signed. BIND was logging this error and returning SERVFAIL to the client. I only noticed this this morning and spent a while trying to figure out what was happening - to no avail. The BIND server had been running for over two weeks with this configuration with no problem but I wondered if, perhaps, something had gone weird with dnssec-validation. I decided to re-start named and everything is happy again. What should I do to troubleshoot this if it happens again? I'm new at DNSSEC. This server is the first one we have configured. I have the following in the global configuration options: dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv.isc.org.; I have the dlv.isc.org. key and the key for our only signed zone (internal zone being served only via an internal view) in the trusted-keys section of the configuration. I'd be glad to be referred to any troubleshooting tips. Thank you. -- John Marshall
pgpNYJ8zqRzOX.pgp
Description: PGP signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users