エラー対処策（unable to find a DNSKEY）for bind

◻️以下のようなエラーが出た場合の対処策を記載する。

Nov 19 23:15:17 localhost named[1605]: validating @0x7ff80c6a9ea0: . DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for '.'

Nov 19 23:15:17 localhost named[1605]: validating @0x7ff80c6a9ea0: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.

Nov 19 23:15:17 localhost named[1605]: validating @0x7ff80c6a9ea0: . DNSKEY: verify failed due to bad signature (keyid=20326): RRSIG validity period has not begun

Nov 19 23:15:17 localhost named[1605]: validating @0x7ff80c6a9ea0: . DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for '.'

Nov 19 23:15:17 localhost named[1605]: validating @0x7ff80c6a9ea0: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.

Nov 19 23:15:17 localhost named[1605]: validating @0x7ff80c6a9ea0: . DNSKEY: verify failed due to bad signature (keyid=20326): RRSIG validity period has not begun

Nov 19 23:15:17 localhost named[1605]: validating @0x7ff80c6a9ea0: . DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for '.'

Nov 19 23:15:17 localhost named[1605]: validating @0x7ff80c6a9ea0: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.

Nov 19 23:15:17 localhost named[1605]: validating @0x7ff80c6a9ea0: . DNSKEY: verify failed due to bad signature (keyid=20326): RRSIG validity period has not begun

Nov 19 23:15:17 localhost named[1605]: validating @0x7ff80c6a9ea0: . DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for '.'

Nov 19 23:15:17 localhost named[1605]: validating @0x7ff80c6a9ea0: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.

DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for '.'

1)以下を編集する。

vi /etc/named.conf

2)以下の赤文字の箇所をコメントアウトさせる。

//

// named.conf for Red Hat caching-nameserver

//

//

// a caching only nameserver config

//

options {

        listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx;};

#        listen-on-v6 port 53 { ::1; };

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        allow-query     { localhost; xxx.xxx.xxx.0/24; xxx.xxx.xxx.0/24;};

        recursion yes;

        dnssec-enable yes;

        dnssec-validation auto;

        dnssec-lookaside auto;

        bindkeys-file "/etc/named.iscdlv.key";

#       managed-keys-directory "/var/named/dynamic";

3)以下のコマンドを実施する。

hwclock --systohc

4)named-chrootのサービスの再起動を行う。

systemctl restart named-chroot

5)以下の赤文字の箇所をコメントアウトを外す。

//

// named.conf for Red Hat caching-nameserver

//

//

// a caching only nameserver config

//

options {

        listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx;};

#        listen-on-v6 port 53 { ::1; };

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        allow-query     { localhost; xxx.xxx.xxx.0/24; xxx.xxx.xxx.0/24;};

        recursion yes;

        dnssec-enable yes;

        dnssec-validation auto;

        dnssec-lookaside auto;

        bindkeys-file "/etc/named.iscdlv.key";

　       managed-keys-directory "/var/named/dynamic";