title: No valid DS or RSIG link: https://onemoretech.wordpress.com/2013/12/08/no-valid-ds-or-rsig/ author: phil2nc description: post_id: 6745 created: 2013/12/08 14:07:49 created_gmt: 2013/12/08 19:07:49 comment_status: closed post_name: no-valid-ds-or-rsig status: publish post_type: post

No valid DS or RSIG

If you see an error message like "no valid DS" or "no valid RSIG" in you system logs, it means DNSSEC is not properly configured on your BIND server. There are many resources on the Internet that show how to configure DNSSEC on a BIND (Berkeley Internet Name Domain) server. Configuring DNSSEC on EL6 and bind 9 Configuring DNSSEC on your personal domain Bind authoritative name server with DNSSEC in CentOS 6 Some theory: Paul Wouters - DNSSEC - Securing the DNS and beyond - SecTor 2012 (Video) Errors like "no valid DS", "no valid RSIG" or "insecurity proof failed" all relate to whether DNSSEC is properly set up for the BIND server being queried. In the case of most big companies and some of us at home this means that the server we use to resolve internal addresses, and possibly to forward requests out to external servers for external addresses (the servers that may be listed in the "forwarders" directive in named.conf) is not correctly configured for DNSSEC, or has out of date keys. Enterprise sysadmins avert your eyes at this point, because I'm going to provide home DNS admins with a way to avoid this entirely. Just edit your /etc/named.conf so that the directives enabling DNSSEC look like this:

dnssec-enable no;
dnssec-validation no;

Then restart named (on Fedora 17+, "systemctl restart named.service"). Depending upon how named was compiled for your particular machine, DNSSEC may be the default, so if these lines don't appear anywhere in the file you should insert them. If DNSSEC is explicitly turned on with a "yes" alongside these directives, it is best to explicitly change them to "no".

Copyright 2004-2019 Phil Lembo