After rebooting my OpenWRT router with Bind 9.18.1 yesterday, I started seeing a lot of:
May 12 19:24:06 OpenWrt named[11061]: validating ./NS: no valid signature found May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid signature found May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving './NS/IN': 192.203.230.10#53 May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving 'net/DS/IN': 8.8.4.4#53 May 12 19:24:06 OpenWrt named[11061]: validating com/DS: no valid signature found May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving 'com/DS/IN': 8.8.4.4#53 May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid signature found May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving 'net/DS/IN': 66.232.64.10#53 May 12 19:24:06 OpenWrt named[11061]: validating com/DS: no valid signature found May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving 'com/DS/IN': 66.232.64.10#53 In my options, I had: dnssec-validation auto; But had to turn this off. It had been working. This is a production firewall/router. What troubleshooting should I do to fix this? I had tried: rndc managed-keys refresh rndc managed-keys sync But don't understand why that would have been necessary unless the root keys got updated recently. Scrolling to the very top of the logs I see: May 12 19:24:04 OpenWrt named[11061]: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out Thanks, -Philip -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
