dnssec-validation

[anagno]

Καλησπέρα σε όλους,

Προσπαθώ να φτιάξω ένα Caching Server με την χρήση του bind και των ubuntu 12.04 . Όμως κάθε φορά που ενεργοποιώ το dnssec-validation στο syslog εμφανίζονται:

Κώδικας: Επιλογή όλων

Apr 10 15:03:17 server named[4023]: error (no valid RRSIG) resolving 'biz.dlv.isc.org/DS/IN': 208.67.220.220#53
Apr 10 15:03:17 server named[4023]: error (no valid RRSIG) resolving 'biz.dlv.isc.org/DS/IN': 208.67.222.222#53
Apr 10 15:03:17 server named[4023]: validating @0x7fc738037210: dlv.isc.org SOA: no valid signature found
Apr 10 15:03:17 server named[4023]: validating @0x7fc738037210: tapalanote.be.dlv.isc.org NSEC: no valid signature found
Apr 10 15:03:17 server named[4023]: validating @0x7fc740487db0: . NS: bad cache hit (dlv.isc.org/DLV)
Apr 10 15:03:17 server named[4023]: error (broken trust chain) resolving './NS/IN': 192.58.128.30#53
Apr 10 15:03:17 server named[4023]: error (no valid RRSIG) resolving 'be.dlv.isc.org/DS/IN': 208.67.222.222#53
Apr 10 15:03:17 server named[4023]: error (no valid RRSIG) resolving 'be.dlv.isc.org/DS/IN': 208.67.220.220#53
Apr 10 15:03:17 server named[4023]: validating @0x7fc740488a40: dlv.isc.org SOA: no valid signature found
Apr 10 15:03:17 server named[4023]: validating @0x7fc740488a40: trinitarianbiblesociety.org.au.dlv.isc.org NSEC: no valid signature found
Apr 10 15:03:18 server named[4023]: error (no valid RRSIG) resolving 'au.dlv.isc.org/DS/IN': 208.67.222.222#53
Apr 10 15:03:18 server named[4023]: error (no valid RRSIG) resolving 'au.dlv.isc.org/DS/IN': 208.67.220.220#53
Apr 10 15:03:18 server named[4023]: validating @0x7fc740002220: dlv.isc.org SOA: no valid signature found
Apr 10 15:03:18 server named[4023]: validating @0x7fc740002220: smersh.at.dlv.isc.org NSEC: no valid signature found
Apr 10 15:03:18 server named[4023]: error (no valid RRSIG) resolving 'at.dlv.isc.org/DS/IN': 208.67.222.222#53
Apr 10 15:03:18 server named[4023]: error (no valid RRSIG) resolving 'at.dlv.isc.org/DS/IN': 208.67.220.220#53
Apr 10 15:03:18 server named[4023]: validating @0x7fc7380436d0: dlv.isc.org SOA: no valid signature found
Apr 10 15:03:18 server named[4023]: validating @0x7fc7380436d0: ster.asia.dlv.isc.org NSEC: no valid signature found
Apr 10 15:03:18 server named[4023]: error (no valid RRSIG) resolving 'asia.dlv.isc.org/DS/IN': 208.67.222.222#53
Apr 10 15:03:18 server named[4023]: error (no valid RRSIG) resolving 'asia.dlv.isc.org/DS/IN': 208.67.220.220#53
Apr 10 15:03:18 server named[4023]: validating @0x7fc738044ff0: dlv.isc.org SOA: no valid signature found
Apr 10 15:03:18 server named[4023]: validating @0x7fc738044ff0: kram.as.dlv.isc.org NSEC: no valid signature found



και άλλα παρόμοια μηνύματα ενώ καθυστερεί και πολύ η εμφάνιση των σελίδων (αν εμφανιστούν ποτέ).

Το αρχείο named.conf.options έχει τα παρακάτω:

Κώδικας: Επιλογή όλων

acl network { 192.168.1.0/24; 127.0.0.1/32; };

options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

//recursion no;
version "Not Disclosed";
allow-query { network; };

forwarders {
208.67.222.222;
208.67.220.220;
};

//=====================================================================$
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//=====================================================================$
//dnssec-validation no;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
bindkeys-file "/etc/bind/bind.keys";


auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};



Μάλλον κάπου έχω κάνει λάθος στις ρυθμίσεις ή έχω παραλείψει κάτι. Μπορεί κανείς να δώσει καμιά ιδέα ???

Ευχαριστώ εκ των προτέρων