In message <512c09f5.4040...@htt-consult.com>, Robert Moskowitz writes: > On 02/25/2013 03:25 PM, Robert Moskowitz wrote: > > > > On 02/25/2013 02:33 PM, Robert Moskowitz wrote: > >> > >> On 02/25/2013 02:00 PM, Casey Deccio wrote: > >>> On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz > >>> <r...@htt-consult.com <mailto:r...@htt-consult.com>> wrote: > >>> > >>> Yes, I know lots of places don't have DNSSEC signed zones. > >>> **I** have not done mine yet, but I turned on DNSSEC checking > >>> on my server and I am getting all too many messages like: > >>> > >>> validating @0xb4247b50: 117.in-addr.arpa NSEC: no valid > >>> signature found: 1 Time(s) > >>> validating @0xb4247b50: 117.in-addr.arpa SOA: no valid > >>> signature found: 1 Time(s) > >>> > >>> > >>> Yes, but 117.in-addr.arpa *is* signed [1], so if you're not getting > >>> signatures, that's problematic. > >> > >> So that is not good. This is over port 53, right? I have that open > >> for udp and tcp. My general options section has: > >> > >> dnssec-enable yes; > >> dnssec-validation yes; > > digging back in the archive here, I find out this should be > > dnssec-validation auto;
Actually it can be either. It's all a matter of how you want to setup your trust anchors. For private root zones it is absolutely the wrong thing to do. > And now I don't have all those false no valid sig messages and I can > look for the NEXT problem. > > >> dnssec-lookaside auto; > >> > >> /* Path to ISC DLV key */ > >> bindkeys-file "/etc/named.iscdlv.key"; > >> > >> managed-keys-directory "/var/named/dynamic"; > >> > >> > > > --------------040909030006030801080707 > Content-Type: text/html; charset=ISO-8859-1 > Content-Transfer-Encoding: 7bit > > <html> > <head> > <meta content="text/html; charset=ISO-8859-1" > http-equiv="Content-Type"> > </head> > <body bgcolor="#FFFFFF" text="#000000"> > <br> > <div class="moz-cite-prefix">On 02/25/2013 03:25 PM, Robert > Moskowitz wrote:<br> > </div> > <blockquote cite="mid:512bc8d6.2030...@htt-consult.com" type="cite"> > <meta http-equiv="Context-Type" content="text/html; > charset=ISO-8859-1"> > <br> > <div class="moz-cite-prefix">On 02/25/2013 02:33 PM, Robert > Moskowitz wrote:<br> > </div> > <blockquote cite="mid:512bbc82.4080...@htt-consult.com" > type="cite"> <br> > <div class="moz-cite-prefix">On 02/25/2013 02:00 PM, Casey > Deccio wrote:<br> > </div> > <blockquote > cite="mid:CAEKtLiSLdsWZ8odu6LR+R=-o4syusaqvqfnaqmoe8cgyw5v...@mail.gmail.com" > type="cite"> On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz > <span dir="ltr"><<a moz-do-not-send="true" > href="mailto:r...@htt-consult.com"; target="_blank">rgm@htt-consu > lt.com</a>></span> > wrote:<br> > <div class="gmail_quote"> > <blockquote class="gmail_quote"> Yes, I know lots of places > don't have DNSSEC signed zones. **I** have not done mine > yet, but I turned on DNSSEC checking on my server and I am > getting all too many messages like:<br> > <br> > validating @0xb4247b50: 117.in-addr.arpa N > SEC: no > valid signature found: 1 Time(s)<br> > validating @0xb4247b50: 117.in-addr.arpa S > OA: no > valid signature found: 1 Time(s)<br> > </blockquote> > <div><br> > Yes, but 117.in-addr.arpa *is* signed [1], so if you're > not getting signatures, that's problematic.<br> > </div> > </div> > </blockquote> > <br> > So that is not good. This is over port 53, right? I have > that > open for udp and tcp. My general options section has:<br> > <br> > dnssec-enable yes;<br> > dnssec-validation yes;<br> > </blockquote> > </blockquote> > <br> > digging back in the archive here, I find out this should be<br> > <br> > dnssec-validation auto;<br> > <br> > And now I don't have all those false no valid sig messages and I can > look for the NEXT problem.<br> > <br> > <blockquote cite="mid:512bc8d6.2030...@htt-consult.com" type="cite"> > <blockquote cite="mid:512bbc82.4080...@htt-consult.com" > type="cite"> dnssec-lookaside auto;<br> > <br> > /* Path to ISC DLV key */<br> > bindkeys-file "/etc/named.iscdlv.key";<br> > <br> > managed-keys-directory "/var/named/dynamic";<br> > <br> > <br> > </blockquote> > </blockquote> > <br> > </body> > </html> > > --------------040909030006030801080707-- > > --===============3835226412723589147== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > --===============3835226412723589147==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
