You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Martin Gregorie <ma...@gregorie.org> on 2015/10/13 12:17:04 UTC

Invalid DNS sig on an SA mirror

I notice that the DNS domain for secnap.net doesn't appear to be set up
to DNSSEC standards. Doing a reverse lookup with 'host' returns
SERVFAIL, but the thing that attracted my attention in the first place
is that my copy of BIND 9.10.2 is reporting errors of the form

  validating sa-update.secnap.net/NSEC: no valid signature found

for the following variants on the theme: sa-update.secnap.net/NSEC,
secnap.net/SOA and sa-update.secnap.net/A

I was seeing a lot of these errors when I upgraded to Fedora 22, which
have tailed off, presumably as people got their zone files up to
current DNSSEC standards, but this is the first time I've seen this
reported on a sa-update mirror.


Martin