On 02/25/2013 02:00 PM, Casey Deccio wrote:
On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz <r...@htt-consult.com
<mailto:r...@htt-consult.com>> wrote:
Yes, I know lots of places don't have DNSSEC signed zones. **I**
have not done mine yet, but I turned on DNSSEC checking on my
server and I am getting all too many messages like:
validating @0xb4247b50: 117.in-addr.arpa NSEC: no valid
signature found: 1 Time(s)
validating @0xb4247b50: 117.in-addr.arpa SOA: no valid
signature found: 1 Time(s)
Yes, but 117.in-addr.arpa *is* signed [1], so if you're not getting
signatures, that's problematic.
So that is not good. This is over port 53, right? I have that open for
udp and tcp. My general options section has:
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
How can I stop the logging of only " no valid signature found"?
So I can watch for more meaningful events and not so quickly grow
/var/log/messages?
Logging can be tuned on a per-category (e.g., DNSSEC) basis, including
the location to which log messages are sent (e.g., file, syslog,
etc.). See the section on logging in the BIND 9 Configuration
Reference for more information on how to do this [2].
thanks I will read this AFTER I find out why I am not getting the
signature. Perhaps I should check to see if I am getting any sigs? How
might I do that?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
