Raspbian: BIND DNS: "no valid signature found"

Linux howto's, compile information, information on whatever we learned on working with linux, MACOs and - of course - Products of the big evil....

Raspbian: BIND DNS: "no valid signature found"

Postby peter_b » Mon Apr 17, 2017 6:15 pm

[PROBLEM]
Getting weird timeouts when querying local BIND DNS nameserver.
Logs contain the following block of uncomfortable errors:
Apr 17 14:53:16 hostname named[518]: validating @0xb3ae5c58: . NS: got insecure response; parent indicates it should be secure
Apr 17 14:53:16 hostname named[518]: error (insecurity proof failed) resolving './NS/IN': 10.0.0.138#53
Apr 17 14:53:16 hostname named[518]: validating @0xb3ae5c58: . NS: no valid signature found
Apr 17 14:53:16 hostname named[518]: error (no valid RRSIG) resolving './NS/IN': 192.36.148.17#53
Apr 17 14:53:16 hostname named[518]: validating @0xb3ae5c58: . NS: no valid signature found
Apr 17 14:53:16 hostname named[518]: error (no valid RRSIG) resolving './NS/IN': 192.5.5.241#53
Apr 17 14:53:16 hostname named[518]: validating @0xb3ae5c58: . NS: no valid signature found
Apr 17 14:53:16 hostname named[518]: error (no valid RRSIG) resolving './NS/IN': 192.33.4.12#53
Apr 17 14:53:16 hostname named[518]: validating @0xb3ae5c58: . NS: no valid signature found
Apr 17 14:53:16 hostname named[518]: error (no valid RRSIG) resolving './NS/IN': 192.203.230.10#53
Apr 17 14:53:16 hostname named[518]: validating @0xb3ae5c58: . NS: no valid signature found
Apr 17 14:53:16 hostname named[518]: error (no valid RRSIG) resolving './NS/IN': 193.0.14.129#53
Apr 17 14:53:16 hostname named[518]: validating @0xb3ae5c58: . NS: no valid signature found
Apr 17 14:53:16 hostname named[518]: error (no valid RRSIG) resolving './NS/IN': 198.41.0.4#53
Apr 17 14:53:16 hostname named[518]: validating @0xb3ae5c58: . NS: no valid signature found
Apr 17 14:53:16 hostname named[518]: error (no valid RRSIG) resolving './NS/IN': 199.7.91.13#53
Apr 17 14:53:16 hostname named[518]: validating @0xb3ae5c58: . NS: no valid signature found
Apr 17 14:53:16 hostname named[518]: error (no valid RRSIG) resolving './NS/IN': 192.112.36.4#53
Apr 17 14:53:16 hostname named[518]: validating @0xb3ae5c58: . NS: no valid signature found
Apr 17 14:53:16 hostname named[518]: error (no valid RRSIG) resolving './NS/IN': 202.12.27.33#53
Apr 17 14:53:17 hostname named[518]: validating @0xb3ae5c58: . NS: no valid signature found
Apr 17 14:53:17 hostname named[518]: error (no valid RRSIG) resolving './NS/IN': 199.7.83.42#53
Apr 17 14:53:17 hostname named[518]: validating @0xb3ae5c58: . NS: no valid signature found
Apr 17 14:53:17 hostname named[518]: error (no valid RRSIG) resolving './NS/IN': 192.228.79.201#53
Apr 17 14:53:17 hostname named[518]: validating @0xb3ae5c58: . NS: no valid signature found
Apr 17 14:53:17 hostname named[518]: error (no valid RRSIG) resolving './NS/IN': 128.63.2.53#53
Apr 17 14:53:17 hostname named[518]: error (network unreachable) resolving './NS/IN': 2001:503:c27::2:30#53
Apr 17 14:53:17 hostname named[518]: error (network unreachable) resolving './NS/IN': 2001:7fe::53#53
Apr 17 14:53:17 hostname named[518]: error (network unreachable) resolving './NS/IN': 2001:500:2f::f#53
Apr 17 14:53:17 hostname named[518]: error (network unreachable) resolving './NS/IN': 2001:500:2::c#53
Apr 17 14:53:17 hostname named[518]: error (network unreachable) resolving './NS/IN': 2001:500:a8::e#53
Apr 17 14:53:17 hostname named[518]: error (network unreachable) resolving './NS/IN': 2001:7fd::1#53
Apr 17 14:53:17 hostname named[518]: error (network unreachable) resolving './NS/IN': 2001:503:ba3e::2:30#53
Apr 17 14:53:17 hostname named[518]: error (network unreachable) resolving './NS/IN': 2001:500:2d::d#53
Apr 17 14:53:17 hostname named[518]: error (network unreachable) resolving './NS/IN': 2001:500:12::d0d#53
Apr 17 14:53:17 hostname named[518]: error (network unreachable) resolving './NS/IN': 2001:dc3::35#53
Apr 17 14:53:17 hostname named[518]: error (network unreachable) resolving './NS/IN': 2001:500:3::42#53
Apr 17 14:53:17 hostname named[518]: error (network unreachable) resolving './NS/IN': 2001:500:84::b#53
Apr 17 14:53:17 hostname named[518]: error (network unreachable) resolving './NS/IN': 2001:500:1::803f:235#53
Apr 17 14:53:20 hostname named[518]: error (no valid RRSIG) resolving 'com/DS/IN': 10.0.0.138#53


[SOLUTION]
There are 2 unrelated errors in the above message block:
  1. network unreachable
  2. no valid signature found

1) IPv6 (!) Network unreachable:
Since I only have IPv4 in the local network, I've added "-4" to BIND's startup options in "/etc/default/bind9":
Code: Select all
# startup options for the server
OPTIONS="-4 -u bind"


2) No valid signature found
Actually here's just a workaround :?
I've dissabled dnssec validation.

In /etc/bind/named.conf.options change this:
Code: Select all
    dnssec-validation auto;


to:
Code: Select all
    //dnssec-validation auto;
    dnssec-enable no;


Restart BIND service, and you should be good.


Links:
  • 0

User avatar
peter_b
Chatterbox
 
Posts: 308
Joined: Tue Nov 12, 2013 2:05 am
Reputation: 3

Return to Knowledge Base

Who is online

Users browsing this forum: No registered users and 3 guests

Who is online over last 24 hours

Users browsed this forum in the last 24 hours: No registered users and 27 guests

Reputation System ©'