Running CentOS 6.8 with bind-9.8.2-0.47.rc1.el6_8.4.x86_64 I'm getting lots of log messages of the form
Jan 25 22:11:55 janus named[10123]: validating @0x7f51084b6450: cloudflare.com A: no valid signature found CloudFlare's DNSSEC seems to be OK according to http://dnssec-debugger.verisignlabs.com/cloudflare.net and http://dnsviz.net/d/cloudflare.net/dnssec/ Looking at the traffic with Wireshark, I see the RRSIG uses ECDSA Curve P-256 with SHA-256. Should bind 9.8.2 be able to recognize that algorithm or is a newer version of bind needed? Output of named -V (Is the OpenSSL version to blame?) BIND 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-rpz-nsip' '--enable-rpz-nsdname' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 using libxml2 version: 2.7.6 -- Jim Garrison ([email protected]) PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
