No valid DS or RSIG

If you see an error message like “no valid DS” or “no valid RSIG” in you system logs, it means DNSSEC is not properly configured on your BIND server.

There are many resources on the Internet that show how to configure DNSSEC on a BIND (Berkeley Internet Name Domain) server.

Configuring DNSSEC on EL6 and bind 9

Configuring DNSSEC on your personal domain

Bind authoritative name server with DNSSEC in CentOS 6

Some theory: Paul Wouters – DNSSEC – Securing the DNS and beyond – SecTor 2012 (Video)

Errors like “no valid DS”, “no valid RSIG” or “insecurity proof failed” all relate to whether DNSSEC is properly set up for the BIND server being queried.

In the case of most big companies and some of us at home this means that the server we use to resolve internal addresses, and possibly to forward requests out to external servers for external addresses (the servers that may be listed in the “forwarders” directive in named.conf) is not correctly configured for DNSSEC, or has out of date keys.

Enterprise sysadmins avert your eyes at this point, because I’m going to provide home DNS admins with a way to avoid this entirely.

Just edit your /etc/named.conf so that the directives enabling DNSSEC look like this:

dnssec-enable no;
dnssec-validation no;

Then restart named (on Fedora 17+, “systemctl restart named.service”).

Depending upon how named was compiled for your particular machine, DNSSEC may be the default, so if these lines don’t appear anywhere in the file you should insert them. If DNSSEC is explicitly turned on with a “yes” alongside these directives, it is best to explicitly change them to “no”.

This entry was posted in System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).