Bind failures following update/reboot w/ 9.18.1

Greg Choules gregchoules+bindusers at googlemail.com
Fri May 13 16:34:17 UTC 2022 

Hi Philip.
Can you run packet captures? I'm running 9.18.0 (close enough?) in Docker
and just traced what happens going from "dnssec-validation no;" to
"dnssec-validation auto;" It makes a DNSKEY query for "." to one of the
roots. The response size was over 900 bytes, so depending on what UDP
payload size is advertised there might need to be some retrying over TCP.
But you'll only know whether that is happening from a pcap.
So I'd say.. check EDNS payload size, check what your firewall(s) is/are
prepared to let through, check whether DNS/TCP is allowed at all, check if
something is doing IP fragmentation (though I wouldn't expect this to come
into play with a packet ~1k).

I hope some of that is useful.
Cheers, Greg

On Fri, 13 May 2022 at 17:07, Philip Prindeville <
philipp_subx at redfish-solutions.com> wrote:

> After rebooting my OpenWRT router with Bind 9.18.1 yesterday, I started
> seeing a lot of:
>
>
> May 12 19:24:06 OpenWrt named[11061]: validating ./NS: no valid signature
> found
> May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid
> signature found
> May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving './NS/IN':
> 192.203.230.10#53
> May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving
> 'net/DS/IN': 8.8.4.4#53
> May 12 19:24:06 OpenWrt named[11061]: validating com/DS: no valid
> signature found
> May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving
> 'com/DS/IN': 8.8.4.4#53
> May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid
> signature found
> May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving
> 'net/DS/IN': 66.232.64.10#53
> May 12 19:24:06 OpenWrt named[11061]: validating com/DS: no valid
> signature found
> May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving
> 'com/DS/IN': 66.232.64.10#53
>
>
> In my options, I had:
>
> dnssec-validation auto;
>
> But had to turn this off.  It had been working.  This is a production
> firewall/router.
>
> What troubleshooting should I do to fix this?
>
> I had tried:
>
> rndc managed-keys refresh
> rndc managed-keys sync
>
> But don't understand why that would have been necessary unless the root
> keys got updated recently.
>
> Scrolling to the very top of the logs I see:
>
> May 12 19:24:04 OpenWrt named[11061]: managed-keys-zone: Unable to fetch
> DNSKEY set '.': timed out
>
> Thanks,
>
> -Philip
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220513/3fa79e97/attachment.htm>

More information about the bind-users mailing list