Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
BIND
BIND
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 628
    • Issues 628
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 112
    • Merge Requests 112
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI/CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #600

Closed
Open
Created Oct 17, 2018 by Stefano@Nellox1

bind9 stopped working in different Debian releases - DNSSEC errors

Summary

In three days Bind9 stopped working on many our Debian server /version, 7, 8). Please note that they are dmz firewalls or mail servers, not specific dns servers so all server have 53 tcp/udp closed to world. The logs shows many many us:

##named[23725]: error (broken trust chain) resolving ##validating @0x7f0fcc341860: it DS: bad cache hit (./DNSKEY) ##named[23725]: validating @0x7f0fc40420d0: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.

The only solution to start bind9 was add theese in named.conf.option dnssec-validation no; dnssec-enable no;

BIND version used

Debian7: BIND 9.8.4-rpz2+rl005.12-P1 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 using libxml2 version: 2.8.0

Debian8: BIND 9.8.4-rpz2+rl005.12-P1 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 using libxml2 version: 2.8.0

Steps to reproduce

We do not know how reproduce. We removed yesterday the options dnssec-validation no; dnssec-enable no; and the problem did not return.

What is the current bug behavior?

(What actually happens.)

What is the expected correct behavior?

(What you should see instead.)

Relevant configuration files

'options { directory "/var/cache/bind";

    forwarders {
            xxx.xxx.xxx.xxx;
            xxx.xxx.xxx.xxx;
     };


    dnssec-validation auto;

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { none; };

};'

Relevant logs and/or screenshots

'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fcc3d0780: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.' 'Oct 17 08:31:01 mail9 named[23725]: error (no valid KEY) resolving './DNSKEY/IN': 198.41.0.4#53' 'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fc403e980: . DNSKEY: unable to find a DNSKEY which verifies the DNSKEY' ''RRset and also matches a trusted key for '.'' 'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fc403e980: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.' 'Oct 17 08:31:01 mail9 named[23725]: error (no valid KEY) resolving './DNSKEY/IN': 199.7.83.42#53' 'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fcc3d0780: . DNSKEY: unable to find a DNSKEY which verifies the DNSKEY ''RRset and also matches a trusted key for '.' 'Oct 17 08:31:01 mail9 named[23725]: validating @0x7f0fcc3d0780: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.'

Possible fixes

(If you can, link to the line of code that might be responsible for the problem.)

Edited Oct 17, 2018 by Stefano
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None