Issue running "dig txt rs.dns-oarc.net" on 9.12

NNEX Support support at nnex.net
Fri Jan 26 21:23:38 UTC 2018 

I'm sure I'm doing something wrong, but for the life of me I can't figure out what. I'm running named 9.12 in a simple recursive setup (built from source on CentOS 7).

In named.conf I've set:
        dnssec-enable yes;
        dnssec-validation auto;

When I try to run "dig txt rs.dns-oarc.net" I get SERVFAIL. The logs show:

validating rs.dns-oarc.net/CNAME: starting
validating rs.dns-oarc.net/CNAME: attempting insecurity proof
validating rs.dns-oarc.net/CNAME: checking existence of DS at 'net'
validating net/DS: starting
validating net/DS: attempting positive response validation
validating net/DS: keyset with trust secure
validating net/DS: verify rdataset (keyid=41824): success
validating net/DS: marking as secure, noqname proof not needed
validating rs.dns-oarc.net/CNAME: in dsfetched2: success
validating rs.dns-oarc.net/CNAME: resuming proveunsecure
validating rs.dns-oarc.net/CNAME: checking existence of DS at 'dns-oarc.net'
validating dns-oarc.net/DS: starting
validating dns-oarc.net/DS: attempting positive response validation
validating net/DNSKEY: starting
validating net/DNSKEY: attempting positive response validation
validating net/DNSKEY: verify rdataset (keyid=35886): success
validating net/DNSKEY: marking as secure (DS)
validating dns-oarc.net/DS: in fetch_callback_validator
validating dns-oarc.net/DS: keyset with trust secure
validating dns-oarc.net/DS: resuming validate
validating dns-oarc.net/DS: verify rdataset (keyid=25733): success
validating dns-oarc.net/DS: marking as secure, noqname proof not needed
validating rs.dns-oarc.net/CNAME: in dsfetched2: success
validating rs.dns-oarc.net/CNAME: resuming proveunsecure
validating rs.dns-oarc.net/CNAME: checking existence of DS at 'rs.dns-oarc.net'
validating rs.dns-oarc.net/CNAME: continuing validation would lead to deadlock: aborting validation
validating rs.dns-oarc.net/CNAME: deadlock found (create_fetch)
Jan 26 15:06:59 red named[3036]: no valid RRSIG resolving 'rs.dns-oarc.net/TXT/IN': 64.191.0.133#53

However if I run "dig txt rs.dns-oarc.net +trace" and then "dig txt rs.dns-oarc.net" the query completes as expected. It continues to complete as expected until I restart named.

If I alter named.conf  to say 
        dnssec-enable yes;
        dnssec-validation yes;

The running "dig txt rs.dns-oarc.net" works immediately, but of course that breaks verification of the root zone, so DNSSEC is worthless.

My named.conf is super simple:

key "rndc-key" {
      algorithm hmac-sha256;
      secret "$KEY";
};
controls {
      inet 127.0.0.1 port 953
              allow { 127.0.0.1; } keys { "rndc-key"; };
};
acl "NNEX" {
        127.0.0.1;
        aaa.bbb.ccc.0/22;
};
options {
        listen-on port 53 { 127.0.0.1; };
        listen-on port 53 { aaa.bbb.ccc.d; };
        directory       "/var/named";
        dnssec-enable yes;
        dnssec-validation auto;
        allow-recursion { nnex; };
        allow-query { nnex; };
        recursion yes;
};
logging {
        channel dnssec_log {
                file "/var/log/dnssec.log";
                severity debug 3;
        };
        category dnssec { dnssec_log; };
};

Thank you,

-Nick

More information about the bind-users mailing list