In message <55a57b9c.6050...@gmail.com>, Leandro writes: > Suddenly server stop working ; on logs following messages appeared : > > alidating @0x7f2c60591400: . NS: got insecure response; parent indicates > it should be secure > error (insecurity proof failed) resolving './NS/IN': 199.7.83.42#53 > validating @0x7f2c60528430: net SOA: verify failed due to bad signature > (keyid=48497): RRSIG validity period has not begun > validating @0x7f2c60528430: net SOA: no valid signature found > After add > dnssec-enable = no ; > and restart the server, it began working again.
It looks like the clock is wrong based on "RRSIG validity period has not begun". Run "date -u" and check everything. > a)Why did it happen if server was already working ? > In my original named.conf I had default settings like this: > the include statement: > include "/etc/named.root.key"; > and the file named.root.key containing: > > managed-keys { > # DNSKEY for the root zone. > # Updates are published on root-dnssec-annou...@icann.org > . initial-key 257 3 8 > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; > }; > > b) Is it bad practice to disable dnssec option ? > c) Which is a good practice about dnssec use ? > e) Named using dnssec have problems very often ? > c) Using dnssec will decrease server performance ? > > > Sorry for the questions battery butIm very concerned about it, my server > was ready to go on production but now I have to figure out this issue. > I am reading some docs and researching about this. > Any comments or thought would be wellcome > Leandro. > > > > > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users