If you see an error message like “no valid DS” or “no valid RSIG” in you system logs, it means DNSSEC is not properly configured on your BIND server.
There are many resources on the Internet that show how to configure DNSSEC on a BIND (Berkeley Internet Name Domain) server.
Errors like “no valid DS”, “no valid RSIG” or “insecurity proof failed” all relate to whether DNSSEC is properly set up for the BIND server being queried.
In the case of most big companies and some of us at home this means that the server we use to resolve internal addresses, and possibly to forward requests out to external servers for external addresses (the servers that may be listed in the “forwarders” directive in named.conf) is not correctly configured for DNSSEC, or has out of date keys.
Enterprise sysadmins avert your eyes at this point, because I’m going to provide home DNS admins with a way to avoid this entirely.
Just edit your /etc/named.conf so that the directives enabling DNSSEC look like this:
dnssec-enable no; dnssec-validation no;
Then restart named (on Fedora 17+, “systemctl restart named.service”).
Depending upon how named was compiled for your particular machine, DNSSEC may be the default, so if these lines don’t appear anywhere in the file you should insert them. If DNSSEC is explicitly turned on with a “yes” alongside these directives, it is best to explicitly change them to “no”.