On Wed, 18 Sep 2019 11:47:37 -0400,
Ian Zimmerman wrote:
>
> On 2019-09-17 20:40, John Covici wrote:
>
> > On Tue, 17 Sep 2019 18:33:51 -0400,
> > Ian Zimmerman wrote:
> > >
> > > On 2019-09-17 13:01, John Covici wrote:
> > >
> > > > > > Also, when I restart named (which I have now done automatically by
> > > > > > systemd) it gives me a lot of errors like the following:
> > > > > > Sep 17 03:11:59 ccs.covici.com named[3299910]: validating arpa/DS:
> > > > > > no
> > > > > > valid signature found
> > > > > > or this:
> > > > > > Sep 17 03:12:00 ccs.covici.com named[3299910]: validating com/DS: no
> > > > > > valid signature found
> > > > >
> > > > > This looks like a DNSSEC problem. I don't run bind on my gentoo
> > > > > system,
> > > > > but I did this:
> > >
> > > > > [snipped]
> > >
> > > > > Try running "ldd /usr/sbin/named". Is openssl (ie. libssl and
> > > > > libcrypto) part of the output?
> > >
> > > > libcrypto is there along with libgnutls, but no libssl.
> > >
> > > Ok, so it probably is built with DNSSEC support.
> > >
> > > How do you populate your cache? Do you recurse to the root servers, or
> > > do you have a "forwarder" (for example, your ISP server) to which you
> > > pass all queries that miss the cache?
> >
> > I have more than one, but they are forwarders.
>
> Then it's likely a problem with one of them. For DNSSEC to work, all
> the servers that handle the query must support it.
>
> One way to get rid of the warning is to just disable DNSSEC at runtime.
> In /etc/bind/named.conf (or a file included by it):
>
> options { dnssec-enable no; };
>
> Reference:
> https://downloads.isc.org/isc/bind9/9.14.0/doc/arm/Bv9ARM.ch05.html#options_grammar
>
Thanks, I will try that, do you know why named is restarting, this is a much
worse problem?
--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?
John Covici wb2una
cov...@ccs.covici.com
