Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
dnssec-enable made named stop working
92 views
Skip to first unread message
Leandro
Jul 14, 2015, 5:14:15 PM7/14/15
to bind-...@lists.isc.org
Suddenly server stop working ; on logs following messages appeared :
alidating @0x7f2c60591400: . NS: got insecure response; parent indicates
it should be secure
error (insecurity proof failed) resolving './NS/IN': 199.7.83.42#53
validating @0x7f2c60528430: net SOA: verify failed due to bad signature
(keyid=48497): RRSIG validity period has not begun
validating @0x7f2c60528430: net SOA: no valid signature found
After add
dnssec-enable = no ;
and restart the server, it began working again.
a)Why did it happen if server was already working ?
In my original named.conf I had default settings like this:
the include statement:
include "/etc/named.root.key";
and the file named.root.key containing:
managed-keys {
# DNSKEY for the root zone.
# Updates are published on root-dnsse...@icann.org
. initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
};
b) Is it bad practice to disable dnssec option ?
c) Which is a good practice about dnssec use ?
e) Named using dnssec have problems very often ?
c) Using dnssec will decrease server performance ?
Sorry for the questions battery butIm very concerned about it, my server
was ready to go on production but now I have to figure out this issue.
I am reading some docs and researching about this.
Any comments or thought would be wellcome
Leandro.
alidating @0x7f2c60591400: . NS: got insecure response; parent indicates
it should be secure
error (insecurity proof failed) resolving './NS/IN': 199.7.83.42#53
validating @0x7f2c60528430: net SOA: verify failed due to bad signature
(keyid=48497): RRSIG validity period has not begun
validating @0x7f2c60528430: net SOA: no valid signature found
After add
dnssec-enable = no ;
and restart the server, it began working again.
a)Why did it happen if server was already working ?
In my original named.conf I had default settings like this:
the include statement:
include "/etc/named.root.key";
and the file named.root.key containing:
managed-keys {
# DNSKEY for the root zone.
# Updates are published on root-dnsse...@icann.org
. initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
};
b) Is it bad practice to disable dnssec option ?
c) Which is a good practice about dnssec use ?
e) Named using dnssec have problems very often ?
c) Using dnssec will decrease server performance ?
Sorry for the questions battery butIm very concerned about it, my server
was ready to go on production but now I have to figure out this issue.
I am reading some docs and researching about this.
Any comments or thought would be wellcome
Leandro.
Mark Andrews
Jul 14, 2015, 7:08:47 PM7/14/15
to Leandro, bind-...@isc.org
In message <55A57B9C...@gmail.com>, Leandro writes:
> Suddenly server stop working ; on logs following messages appeared :
>
> alidating @0x7f2c60591400: . NS: got insecure response; parent indicates
> it should be secure
> error (insecurity proof failed) resolving './NS/IN': 199.7.83.42#53
> validating @0x7f2c60528430: net SOA: verify failed due to bad signature
> (keyid=48497): RRSIG validity period has not begun
> validating @0x7f2c60528430: net SOA: no valid signature found
> After add
> dnssec-enable = no ;
> and restart the server, it began working again.
not begun". Run "date -u" and check everything.
> a)Why did it happen if server was already working ?
> In my original named.conf I had default settings like this:
> the include statement:
> include "/etc/named.root.key";
> and the file named.root.key containing:
>
> managed-keys {
> # DNSKEY for the root zone.
> # Updates are published on root-dnsse...@icann.org
> . initial-key 257 3 8
> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
> };
>
> b) Is it bad practice to disable dnssec option ?
> c) Which is a good practice about dnssec use ?
> e) Named using dnssec have problems very often ?
> c) Using dnssec will decrease server performance ?
>
>
> Sorry for the questions battery butIm very concerned about it, my server
> was ready to go on production but now I have to figure out this issue.
> I am reading some docs and researching about this.
> Any comments or thought would be wellcome
> Leandro.
>
>
>
>
>
>
>
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
0 new messages