On Sun, 16 Aug 2009, 23:39 -0400, Paul Wouters wrote: > On Mon, 17 Aug 2009, John Marshall wrote: > > >named[204]: no valid RRSIG resolving 'cvsup.au.freebsd.org/A/IN': > >123.136.33.242#53 > > >What should I do to troubleshoot this if it happens again? > > First of all, try and dump the cache, using rndc dumpdb -all. This > gets a snapshot of the current state of your nameservers. Debugging > something a few hours later might look completely different in a DNS > world.
Thanks. After 1 hour of normal operation it went weird again. I generated a dump and took a copy of it. > When doing dnssec queries that cause servfails, running the query > with the Checking Disabled (CD) bit, might tell you a little bit > more on what the named thinks it has. It's still a bit tricky to > figure out things from that, eg "dig +dnssec +cd cvsup.au.freebsd.org." Setting the cdflag resulted in a successful query. No dnssec information because the zone isn't signed. > You can also use "drill" from the ldns package, to get some more > information. In this case, running "drill -D -S cvsup.au.freebsd.org" > would have been interesting, as it would go through all the parent > records chasing where this supposed RRSIG came from. Thanks for that. Unfortunately, by the time I had downloaded and installed drill, the server had "come good" - without a restart. > Note that cvsup.au.freebsd.org is a CNAME to freebsd4.riverwillow.net.au. > Was riverwillow.net.au the internal view zone you had signed? riverwillow.net.au is an external (unsigned) zone. Sorry for the confusion. I should have picked something completely unrelated as an example. All of the many "problem" domain names live under .org. -- John Marshall
pgpiM9Rqnc4l1.pgp
Description: PGP signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
