In message <jnrabn$olm$1...@dough.gmane.org>, "Brian J. Murrell" writes: > Not having dipped my toe into DNSSEC yet (yes, I know, but time is > always so scarce)... > > So I am seeing a bunch of this sort of thing in my BIND logs now: > > 04:02:18 named validating @0xb0f58988: 124.in-addr.arpa SOA: no valid sig= > nature found > 04:02:18 named validating @0xb0f58988: 124.in-addr.arpa NSEC: no valid si= > gnature found > 04:02:18 named validating @0xb0f58988: 227.124.in-addr.arpa NSEC: no vali= > d signature found > 04:03:30 named validating @0xb0f58988: net SOA: no valid signature found > 04:03:30 named validating @0xb0f58988: a1rt98bs5qgc9nfi51s9hci47uljg6jh.n= > et NSEC3: no valid signature found > 04:03:30 named validating @0xb0f58988: 5VI63OJ105LD6R767I45IDJR5Q55T1R1.n= > et NSEC3: no valid signature found > 04:03:30 named validating @0xb0f58988: EEE0K4ONQCCHCJQTQ5VJD52NKJTEHAJN.n= > et NSEC3: no valid signature found > 04:03:30 named validating @0xb0f4d8c0: uk SOA: no valid signature found > 04:03:30 named validating @0xb21ea7c0: u1fmklfv3rdcnamdc64sekgcdp05bbiu.u= > k NSEC3: no valid signature found > 04:03:30 named validating @0xb0f67990: pl SOA: no valid signature found > 04:03:30 named validating @0xb18914a0: RVLFSE0643QVHS3RI8VPKGANFBCJVJ06.p= > l NSEC3: no valid signature found > 04:03:31 named validating @0xb0f949d0: GSV9U2BOSCL9B9TQAL1UAV4BNVI9EVUE.p= > l NSEC3: no valid signature found > 04:03:31 named validating @0xb21cc520: org SOA: no valid signature found > 04:03:31 named validating @0xb18f2c08: org SOA: no valid signature found > 04:03:31 named validating @0xb21ea7c0: fk47636n6psb8mv7rdu6tpdhas69cbjp.o= > rg NSEC3: no valid signature found > 04:03:31 named validating @0xb0fe6528: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.o= > rg NSEC3: no valid signature found > 04:03:31 named validating @0xb0f61960: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.o= > rg NSEC3: no valid signature found > 04:03:31 named validating @0xb21cc520: 4rkhv4s4situ82j70sp5tq5utm12o2t8.o= > rg NSEC3: no valid signature found > 04:03:31 named validating @0xb18f2c08: ic8a82pge1m0qdob5sce1e3613hqr7br.o= > rg NSEC3: no valid signature found > 04:03:31 named validating @0xb0f949d0: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.o= > rg NSEC3: no valid signature found > 04:03:31 named validating @0xb0f949d0: vai6s58iqmjmin7ju8mq61aju3q4ms5h.o= > rg NSEC3: no valid signature found > 04:03:31 named validating @0xb0f949d0: org SOA: no valid signature found > 04:03:31 named validating @0xb18914a0: vai6s58iqmjmin7ju8mq61aju3q4ms5h.o= > rg NSEC3: no valid signature found > 04:03:31 named validating @0xb21e1518: vai6s58iqmjmin7ju8mq61aju3q4ms5h.o= > rg NSEC3: no valid signature found > 04:09:43 named validating @0xb0f58988: 117.in-addr.arpa SOA: no valid sig= > nature found > 04:09:43 named validating @0xb0f58988: 117.in-addr.arpa NSEC: no valid si= > gnature found > 04:09:43 named validating @0xb0f58988: 240.117.in-addr.arpa NSEC: no vali= > d signature found > 04:13:52 named validating @0xb0f58988: 27.in-addr.arpa SOA: no valid sign= > ature found > 04:13:52 named validating @0xb0f58988: 22.115.27.in-addr.arpa NSEC: no va= > lid signature found > 04:13:52 named validating @0xb0f58988: 99.114.27.in-addr.arpa NSEC: no va= > lid signature found > 04:15:16 named validating @0xb0f58988: 117.in-addr.arpa SOA: no valid sig= > nature found > 04:15:16 named validating @0xb0f58988: 117.in-addr.arpa NSEC: no valid si= > gnature found > 04:15:16 named validating @0xb0f58988: 99.20.117.in-addr.arpa NSEC: no va= > lid signature found > 04:15:48 named validating @0xb0f58988: org SOA: no valid signature found > 04:15:48 named validating @0xb0f58988: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.o= > rg NSEC3: no valid signature found > 04:15:48 named validating @0xb0f58988: osfek8jf3dv7trcfcuheumjh9bpmjkeq.o= > rg NSEC3: no valid signature found > 04:15:48 named validating @0xb0f58988: vai6s58iqmjmin7ju8mq61aju3q4ms5h.o= > rg NSEC3: no valid signature found > > And am wondering what they are really telling me. Are they all > different flavours of "zone is not signed" or are they more like > "zone is supposed to be signed but there are problems with it"? > > Cheers, > b.
The zones are signed. Possible reason are: * a firewall blocking EDNS queries. * using a non DNSSEC enabled forwarder so you don't get signatures. * a firewall blocking fragmented UDP and named falling back to plain DNS. * other packet loss causing named to fallback to plain DNS. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users