bind9 stopped working in different Debian releases - DNSSEC errors (#600) · Issues · ISC Open Source Projects / BIND

bind9 stopped working in different Debian releases - DNSSEC errors

Summary

In three days Bind9 stopped working on many our Debian server /version, 7, 8). Please note that they are dmz firewalls or mail servers, not specific dns servers so all server have 53 tcp/udp closed to world. The logs shows many many us:

##named[23725]: error (broken trust chain) resolving ##validating @0x7f0fcc341860: it DS: bad cache hit (./DNSKEY) ##named[23725]: validating @0x7f0fc40420d0: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.

The only solution to start bind9 was add theese in named.conf.option dnssec-validation no; dnssec-enable no;

BIND version used

Debian7: BIND 9.8.4-rpz2+rl005.12-P1 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 using libxml2 version: 2.8.0

Debian8: BIND 9.8.4-rpz2+rl005.12-P1 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 using libxml2 version: 2.8.0

Steps to reproduce

We do not know how reproduce. We removed yesterday the options dnssec-validation no; dnssec-enable no; and the problem did not return.

What is the current bug behavior?

(What actually happens.)

What is the expected correct behavior?

(What you should see instead.)

Relevant configuration files

'options { directory "/var/cache/bind";

    forwarders {
            xxx.xxx.xxx.xxx;
            xxx.xxx.xxx.xxx;
     };


    dnssec-validation auto;

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { none; };

};'

Relevant logs and/or screenshots

'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fcc3d0780: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.' 'Oct 17 08:31:01 mail9 named[23725]: error (no valid KEY) resolving './DNSKEY/IN': 198.41.0.4#53' 'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fc403e980: . DNSKEY: unable to find a DNSKEY which verifies the DNSKEY' ''RRset and also matches a trusted key for '.'' 'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fc403e980: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.' 'Oct 17 08:31:01 mail9 named[23725]: error (no valid KEY) resolving './DNSKEY/IN': 199.7.83.42#53' 'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fcc3d0780: . DNSKEY: unable to find a DNSKEY which verifies the DNSKEY ''RRset and also matches a trusted key for '.' 'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fcc3d0780: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.'

Possible fixes

(If you can, link to the line of code that might be responsible for the problem.)

Edited Oct 17, 2018 by Ghost User