On 2019-09-17 20:40, John Covici wrote:

> On Tue, 17 Sep 2019 18:33:51 -0400,
> Ian Zimmerman wrote:
> > 
> > On 2019-09-17 13:01, John Covici wrote:
> > 
> > > > > Also, when I restart named (which I have now done automatically by
> > > > > systemd) it gives me a lot of errors like the following:
> > > > > Sep 17 03:11:59 ccs.covici.com named[3299910]: validating arpa/DS: no
> > > > > valid signature found
> > > > > or this:
> > > > > Sep 17 03:12:00 ccs.covici.com named[3299910]: validating com/DS: no
> > > > > valid signature found
> > > > 
> > > > This looks like a DNSSEC problem.  I don't run bind on my gentoo system,
> > > > but I did this:
> > 
> > > > [snipped]
> > 
> > > > Try running "ldd /usr/sbin/named".  Is openssl (ie. libssl and
> > > > libcrypto) part of the output?
> > 
> > > libcrypto is there along with libgnutls, but no libssl.
> > 
> > Ok, so it probably is built with DNSSEC support.
> > 
> > How do you populate your cache?  Do you recurse to the root servers, or
> > do you have a "forwarder" (for example, your ISP server) to which you
> > pass all queries that miss the cache?
> 
> I have more than one, but they are forwarders. 

Then it's likely a problem with one of them.  For DNSSEC to work, all
the servers that handle the query must support it.

One way to get rid of the warning is to just disable DNSSEC at runtime.
In /etc/bind/named.conf (or a file included by it):

options { dnssec-enable no; };

Reference:
https://downloads.isc.org/isc/bind9/9.14.0/doc/arm/Bv9ARM.ch05.html#options_grammar

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.

Reply via email to