On Wed, 18 Sep 2019 11:47:37 -0400, Ian Zimmerman wrote: > > On 2019-09-17 20:40, John Covici wrote: > > > On Tue, 17 Sep 2019 18:33:51 -0400, > > Ian Zimmerman wrote: > > > > > > On 2019-09-17 13:01, John Covici wrote: > > > > > > > > > Also, when I restart named (which I have now done automatically by > > > > > > systemd) it gives me a lot of errors like the following: > > > > > > Sep 17 03:11:59 ccs.covici.com named[3299910]: validating arpa/DS: > > > > > > no > > > > > > valid signature found > > > > > > or this: > > > > > > Sep 17 03:12:00 ccs.covici.com named[3299910]: validating com/DS: no > > > > > > valid signature found > > > > > > > > > > This looks like a DNSSEC problem. I don't run bind on my gentoo > > > > > system, > > > > > but I did this: > > > > > > > > [snipped] > > > > > > > > Try running "ldd /usr/sbin/named". Is openssl (ie. libssl and > > > > > libcrypto) part of the output? > > > > > > > libcrypto is there along with libgnutls, but no libssl. > > > > > > Ok, so it probably is built with DNSSEC support. > > > > > > How do you populate your cache? Do you recurse to the root servers, or > > > do you have a "forwarder" (for example, your ISP server) to which you > > > pass all queries that miss the cache? > > > > I have more than one, but they are forwarders. > > Then it's likely a problem with one of them. For DNSSEC to work, all > the servers that handle the query must support it. > > One way to get rid of the warning is to just disable DNSSEC at runtime. > In /etc/bind/named.conf (or a file included by it): > > options { dnssec-enable no; }; > > Reference: > https://downloads.isc.org/isc/bind9/9.14.0/doc/arm/Bv9ARM.ch05.html#options_grammar >
Thanks, I will try that, do you know why named is restarting, this is a much worse problem? -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com