bind9 stopped working in different Debian releases - DNSSEC errors
Summary
In three days Bind9 stopped working on many our Debian server /version, 7, 8). Please note that they are dmz firewalls or mail servers, not specific dns servers so all server have 53 tcp/udp closed to world. The logs shows many many us:
##named[23725]: error (broken trust chain) resolving ##validating @0x7f0fcc341860: it DS: bad cache hit (./DNSKEY) ##named[23725]: validating @0x7f0fc40420d0: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.
The only solution to start bind9 was add theese in named.conf.option dnssec-validation no; dnssec-enable no;
BIND version used
Debian7: BIND 9.8.4-rpz2+rl005.12-P1 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 using libxml2 version: 2.8.0
Debian8: BIND 9.8.4-rpz2+rl005.12-P1 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 using libxml2 version: 2.8.0
Steps to reproduce
We do not know how reproduce. We removed yesterday the options dnssec-validation no; dnssec-enable no; and the problem did not return.
What is the current bug behavior?
(What actually happens.)
What is the expected correct behavior?
(What you should see instead.)
Relevant configuration files
'options { directory "/var/cache/bind";
forwarders {
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
};
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};'
Relevant logs and/or screenshots
'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fcc3d0780: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.' 'Oct 17 08:31:01 mail9 named[23725]: error (no valid KEY) resolving './DNSKEY/IN': 198.41.0.4#53' 'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fc403e980: . DNSKEY: unable to find a DNSKEY which verifies the DNSKEY' ''RRset and also matches a trusted key for '.'' 'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fc403e980: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.' 'Oct 17 08:31:01 mail9 named[23725]: error (no valid KEY) resolving './DNSKEY/IN': 199.7.83.42#53' 'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fcc3d0780: . DNSKEY: unable to find a DNSKEY which verifies the DNSKEY ''RRset and also matches a trusted key for '.' 'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fcc3d0780: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.'
Possible fixes
(If you can, link to the line of code that might be responsible for the problem.)