This morning I noticed that named was logging
"dnssec: info: validating <domain name>/SOA: no valid signature found"
The domain name appears in multiple views (4), where the internal
and external view (pair)s use different keys.
Isolating the problem would be easier if the message included the
view that is triggering this error.
It turned out that explicit queries failed with
"lame-servers: info: RRSIG failed to verify resolving '<domain name>/SOA/IN'
Again, no view & no clue (expired? crypto? ??). The zone is
"auto-dnssec maintain", so there was no obvious user error.
rndc sign <domain> in internal
on the master triggered a IXFR of 1 record (presumably an RRSIG for the SOA), after which the symptom disappeared (on both the master and slave servers).
All in all, there seemed to be a lack of breadcrumbs to track
this down. I can't say how long this was going on; the message is
low severity & appears in logs going back to June - which is
the event horizon. The only SOA changes would have been due to
UPDATE (of other records)/auto signing.
FWIW: This is a zone for which the server is authoritative (stub zone handles recursion to get validation); perhaps the severity should be higher in this case. Or perhaps there should be a periodic integrity check on served zones that verifies proper signatures. Or??
-- Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.