DNSSEC:RRSIG validity period has not begun

Rajalakshmi R Tue, 14 Oct 2008 05:47:05 -0700

Hi, 
 I am trying to configure DNSSEc. So far i have created a zone (raji.com) 
signed it with a ZSK only.On querying this authoritative server for DNSSEc data 
expected result is got and the RRSIG rrs are returned. However when i try to 
add a trusted anchor(the ZSK) to some non-authoritative server  and try to 
query for raji.com,dig returns no answers. On analysis of the log it is seen 
that a response is got but the validation fails with the below message. 
14-Oct-2008 17:16:34.386 received packet: 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  62355 
;; flags: qr aa rd cd ; QUESTION: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3 
;; OPT PSEUDOSECTION: 
; EDNS: version: 0, flags: do; udp: 4096 
;; QUESTION SECTION: 
;raji.com.                      IN      DNSKEY


;; ANSWER SECTION: 
raji.com.               86400   IN      DNSKEY  256 3 5 
AwEAAe0rGK3esDcvfLXSqDtkPSuZAgVdBuzQxNYjMB3tt2x2YinBlt/Q 
7bJanhr8IbUGe5IxfHEdMg7Q0tvx4PSx/XM667AovJJBo4isoXGz1iR5 
bT6wdVaDyIMVcbVa225wn9Xbz+opTrO1++EPZ8MiCRGhg71xHduYQzBs YVVDFd1/ 
raji.com.               86400   IN      RRSIG   DNSKEY 5 2 86400 20081113142126 
20081014142126 41667 raji.com. 
FR1WPQMiz6Jk/0rFYTYLIVxf5lGyXsIOIm5BjPlpIoVZwhDc7i/+Ckn6 
UMdKLLor6jaDKfo8v3LdAWU3pbviZ3uERyvsTOhZ3ohayJhk8doCqsEM 
XhgcPbFKvsWTLY0zHctsa3BispIMBIa1QlEYp2qAeOD7KcMeISD/m4Me qGw= 

;; AUTHORITY SECTION: 
raji.com.               86400   IN      NS      ns2.smokeyjoe.com. 
raji.com.               86400   IN      NS      ns1.raji.com. 
raji.com.               86400   IN      RRSIG   NS 5 2 86400 20081113142126 
20081014142126 41667 raji.com. 
gfdDOKOfHhsilmgu+324u1MCB1hr0T9gpU3L6NTAI3/kQYASo7+zPSCG 
mjHbd4O+D8/bdkt58ORqYHRwCcNLAeVSaf15Cvn4eS1F/zptFqSJNgy2 
wHhhg+ReXDU4LKmzSamLDTMExA9RwNP2akbNKQ3CNelFbRfseeynpLBZ ADo= 

;; ADDITIONAL SECTION: 
ns1.raji.com.           86400   IN      A       192.168.0.1 
ns1.raji.com.           86400   IN      RRSIG   A 5 3 86400 20081113142126 
20081014142126 41667 raji.com. 
2ykoFHb8qJK0+cSQ/CPoNyZvrZZah5krxGWXeiYz3Ug438F3OaYYhV0v 
pLqfmXyVA5uhxL1nDazRi1VWDNqI2NtPG3bR759OCsZl9W1XgqpZ4v9u 
ywKezzyQl4Jdg9WSQUkNGOY1vyWnrxGop/QwaIRuuAgUZi1kZ0CS6pqQ aEc= 


14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: starting 
14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: 
attempting positive response validation 
14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: verify 
rdataset (keyidA667): RRSIG validity period has not begun 
14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: unable to 
find a DNSKEY which verifies the DNSKEY RRset and also matches one of specified 
trusted-keys for 'raji.com' 

can anyone help me out with this issue 

Raji R

DNSSEC:RRSIG validity period has not begun

Reply via email to