managed-keys update when outgoing UDP is blocked
Branko Mijuskovic
branko.mijuskovic.hiag at gmail.com
Mon Feb 24 20:47:01 UTC 2020
Hi All,
We have an authoritative DNS hidden master (bind-9.11.4-9) running behind
the network where outgoing UDP traffic to unlisted IPs is blocked.
We are using DNSSEC and I've noticed that we are getting following errors
in the bind9 logfile: 'managed-keys-zone/default: Unable to fetch DNSKEY
set '.': timed out'
My question is does bind uses 'try-tcp-refresh' when it fails to get the
keys via UDP from the root servers?
This is because our keys are regularly updated, but I'm not sure how.
# rndc managed-keys status
view: default
next scheduled event: Tue, 25 Feb 2020 19:16:47 GMT
name: .
keyid: 20326
algorithm: RSASHA256
flags: SEP
next refresh: Tue, 25 Feb 2020 19:16:47 GMT
trusted since: Mon, 03 Feb 2020 18:10:26 GMT
# dig @e.root-servers.net . dnskey +multiline
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @e.root-servers.net .
dnskey +multiline
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
# dig @e.root-servers.net . dnskey +multiline +tcp
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @e.root-servers.net .
dnskey +multiline +tcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22070
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65535
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
. 172800 IN DNSKEY 256 3 8 (
AwEAAeN+h0loXPKt7lFdW2zKIDkVHyJ1aYGUVE1dMNBl
RH3kTn40JKcHiPOs+fy0OFVCBwoKa1s9qZtdyP1UC0hg
Koldj3oELK1yLI5MUbTMcNkWbBMRuxRz/CgZJu3Ixcmu
ZWZMbn4LQDMj5YeiUiuWns5vipFGWWpyPyozQXmenSWO
K2GJOwcm7I/DyHVtVdztTvqiHqzy2aRoxwPhmEuAoYzz
uNJJw6JNEnXaN/7l2TIciskFyPVPBFZYHnk+1ma906df
ehIR190z3lh1ZESL2Yy3VIE2QGpRU6Px4ydH5sXxZ2wS
MgqNNga4kjnfM1msBqk3EI48RvTTkuV0yb1eFuU=
) ; ZSK; alg = RSASHA256 ; key id = 33853
. 172800 IN DNSKEY 257 3 8 (
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
) ; KSK; alg = RSASHA256 ; key id = 20326
;; Query time: 20 msec
;; SERVER: 192.203.230.10#53(192.203.230.10)
;; WHEN: Mon Feb 24 20:31:08 UTC 2020
;; MSG SIZE rcvd: 578
Thanks in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200224/1ee068bf/attachment.htm>
More information about the bind-users
mailing list