BIND-9.16 and managed-keys-zone
Summary
Wrong cache for managed-keys database.
BIND version used
[root@master1 /]# named -v
BIND 9.16.15-RH (Stable Release) <id:4469e3e>Steps to reproduce
This is the imitation of first run.
[root@master1 /]# systemctl stop named
# remove current managed-keys
[root@master1 /]# rm -f /var/named/dynamic/managed-keys.bind*
# set forwarders with not existed or not available(offline), in my example I set it to '8.8.8.123' and forward policy 'only'
forward only;
forwarders {8.8.8.123;};
dnssec-validation auto(or yes);
[root@master1 /]# systemctl start named
[root@master1 /]# dig +dnssec mirrors.fedoraproject.org
; <<>> DiG 9.16.15-RH <<>> +dnssec mirrors.fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23320
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 9297a095e3be13020100000060ae6af11adeea19e019f898 (good)
;; QUESTION SECTION:
;mirrors.fedoraproject.org. IN A
;; Query time: 3000 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed May 26 15:36:17 UTC 2021
;; MSG SIZE rcvd: 82
[root@master1 /]# cat /var/named/data/dnssec.log
26-May-2021 15:36:13.254 warning: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
[root@master1 /]# cat /var/named/dynamic/managed-keys.bind
$ORIGIN .
$TTL 0 ; 0 seconds
@ IN SOA . . (
2 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
0 ; minimum (0 seconds)
)
KEYDATA 20210526163613 19700101000000 19700101000000 0 0 0 (
) ; ZSK; alg = 0; key id = 0
; next refresh: Wed, 26 May 2021 16:36:13 GMT
; no trust
# make the forwarder online
forwarders {8.8.8.8;};
[root@master1 /]# systemctl restart named
[root@master1 /]# dig +dnssec mirrors.fedoraproject.org
; <<>> DiG 9.16.15-RH <<>> +dnssec mirrors.fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21419
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 20598bf16da011a90100000060ae6b9240e3281a7a1f4680 (good)
;; QUESTION SECTION:
;mirrors.fedoraproject.org. IN A
;; Query time: 171 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 26 15:38:58 UTC 2021
;; MSG SIZE rcvd: 82
[root@master1 /]# cat /var/named/dynamic/managed-keys.bind
$ORIGIN .
$TTL 0 ; 0 seconds
@ IN SOA . . (
2 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
0 ; minimum (0 seconds)
)
KEYDATA 20210526163613 19700101000000 19700101000000 0 0 0 (
) ; ZSK; alg = 0; key id = 0
; next refresh: Wed, 26 May 2021 16:36:13 GMT
; no trust
[root@master1 /]# cat /var/named/data/dnssec.log
26-May-2021 15:36:13.254 warning: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
26-May-2021 15:38:54.052 info: managed-keys-zone: DNSKEY set for zone '.' could not be verified with current keys
26-May-2021 15:38:58.312 info: validating org/DS: no valid signature found
26-May-2021 15:38:58.312 info: validating org/DNSKEY: bad cache hit (org/DS)
[root@master1 /]# cat /var/named/data/query_errors.log
26-May-2021 15:36:17.818 info: client @0x7f8154000cc8 ::1#48423 (mirrors.fedoraproject.org): query failed (timed out) for mirrors.fedoraproject.org/IN/A at ../../../lib/ns/query.c:7360
26-May-2021 15:36:17.818 info: client @0x7f81440104c8 127.0.0.1#50230 (mirrors.fedoraproject.org): query failed (timed out) for mirrors.fedoraproject.org/IN/A at ../../../lib/ns/query.c:7360
26-May-2021 15:38:58.313 info: client @0x7fd9d00104c8 127.0.0.1#59004 (mirrors.fedoraproject.org): query failed (broken trust chain) for mirrors.fedoraproject.org/IN/A at ../../../lib/ns/query.c:7360What is the current bug behavior?
In this case BIND answers SERVFAIL to all queries unless I stop it and manually remove managed-keys.bind and its journal.
In my opinion managed-keys zone should automatically be reconfigured since it's empty.