From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id C1232138334 for ; Wed, 18 Sep 2019 15:47:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F152EE0982; Wed, 18 Sep 2019 15:47:46 +0000 (UTC) Received: from very.loosely.org (very.loosely.org [173.255.215.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 931CCE094F for ; Wed, 18 Sep 2019 15:47:46 +0000 (UTC) Received: from c-67-174-233-217.hsd1.ca.comcast.net ([67.174.233.217]:35526 helo=foolinux.mooo.com) by ahiker.mooo.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2-145-34f34d221) (envelope-from ) id 1iAcBF-00088J-3m; Wed, 18 Sep 2019 08:47:45 -0700 Date: Wed, 18 Sep 2019 08:47:37 -0700 From: Ian Zimmerman To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Re: problem with named restarting Message-ID: <20190918154737.r2me37c4f7h4iads@matica.foolinux.mooo.com> References: <20190917161414.fz24gizh7o2umqus@matica.foolinux.mooo.com> <20190917223351.wgdcfozsht5oqayc@matica.foolinux.mooo.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 X-Loosely-ASN: 7922 X-Archives-Salt: 0b01a11c-e190-4e73-af5d-eb68ea67dde1 X-Archives-Hash: e17a03e3ab0cc72104225e48f6dbf79a On 2019-09-17 20:40, John Covici wrote: > On Tue, 17 Sep 2019 18:33:51 -0400, > Ian Zimmerman wrote: > > > > On 2019-09-17 13:01, John Covici wrote: > > > > > > > Also, when I restart named (which I have now done automatically by > > > > > systemd) it gives me a lot of errors like the following: > > > > > Sep 17 03:11:59 ccs.covici.com named[3299910]: validating arpa/DS: no > > > > > valid signature found > > > > > or this: > > > > > Sep 17 03:12:00 ccs.covici.com named[3299910]: validating com/DS: no > > > > > valid signature found > > > > > > > > This looks like a DNSSEC problem. I don't run bind on my gentoo system, > > > > but I did this: > > > > > > [snipped] > > > > > > Try running "ldd /usr/sbin/named". Is openssl (ie. libssl and > > > > libcrypto) part of the output? > > > > > libcrypto is there along with libgnutls, but no libssl. > > > > Ok, so it probably is built with DNSSEC support. > > > > How do you populate your cache? Do you recurse to the root servers, or > > do you have a "forwarder" (for example, your ISP server) to which you > > pass all queries that miss the cache? > > I have more than one, but they are forwarders. Then it's likely a problem with one of them. For DNSSEC to work, all the servers that handle the query must support it. One way to get rid of the warning is to just disable DNSSEC at runtime. In /etc/bind/named.conf (or a file included by it): options { dnssec-enable no; }; Reference: https://downloads.isc.org/isc/bind9/9.14.0/doc/arm/Bv9ARM.ch05.html#options_grammar -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.