Bind failures following update/reboot w/ 9.18.1
Greg Choules
gregchoules+bindusers at googlemail.com
Fri May 13 18:15:19 UTC 2022
Your MTU is not the point. It's what happens beyond your equipment that may
have a bearing. However, as I said, I don't think IP fragmentation will be
your problem in this case, so that's a whole other discussion for a
different day.
pcaps are your friend though. From a packet capture you can see exactly
what happened on the wire, rather than speculate.
Cheers, Greg
On Fri, 13 May 2022 at 18:00, Philip Prindeville <
philipp_subx at redfish-solutions.com> wrote:
> My MTU is 1500 bytes, so I don't think that's the problem.
>
> But UDP can fragment via IP...
>
>
> > On May 13, 2022, at 10:34 AM, Greg Choules <
> gregchoules+bindusers at googlemail.com> wrote:
> >
> > Hi Philip.
> > Can you run packet captures? I'm running 9.18.0 (close enough?) in
> Docker and just traced what happens going from "dnssec-validation no;" to
> "dnssec-validation auto;" It makes a DNSKEY query for "." to one of the
> roots. The response size was over 900 bytes, so depending on what UDP
> payload size is advertised there might need to be some retrying over TCP.
> But you'll only know whether that is happening from a pcap.
> > So I'd say.. check EDNS payload size, check what your firewall(s) is/are
> prepared to let through, check whether DNS/TCP is allowed at all, check if
> something is doing IP fragmentation (though I wouldn't expect this to come
> into play with a packet ~1k).
> >
> > I hope some of that is useful.
> > Cheers, Greg
> >
> > On Fri, 13 May 2022 at 17:07, Philip Prindeville <
> philipp_subx at redfish-solutions.com> wrote:
> > After rebooting my OpenWRT router with Bind 9.18.1 yesterday, I started
> seeing a lot of:
> >
> >
> > May 12 19:24:06 OpenWrt named[11061]: validating ./NS: no valid
> signature found
> > May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid
> signature found
> > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving
> './NS/IN': 192.203.230.10#53
> > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving
> 'net/DS/IN': 8.8.4.4#53
> > May 12 19:24:06 OpenWrt named[11061]: validating com/DS: no valid
> signature found
> > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving
> 'com/DS/IN': 8.8.4.4#53
> > May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid
> signature found
> > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving
> 'net/DS/IN': 66.232.64.10#53
> > May 12 19:24:06 OpenWrt named[11061]: validating com/DS: no valid
> signature found
> > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving
> 'com/DS/IN': 66.232.64.10#53
> >
> >
> > In my options, I had:
> >
> > dnssec-validation auto;
> >
> > But had to turn this off. It had been working. This is a production
> firewall/router.
> >
> > What troubleshooting should I do to fix this?
> >
> > I had tried:
> >
> > rndc managed-keys refresh
> > rndc managed-keys sync
> >
> > But don't understand why that would have been necessary unless the root
> keys got updated recently.
> >
> > Scrolling to the very top of the logs I see:
> >
> > May 12 19:24:04 OpenWrt named[11061]: managed-keys-zone: Unable to fetch
> DNSKEY set '.': timed out
> >
> > Thanks,
> >
> > -Philip
> >
> >
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220513/f7e5cfd7/attachment-0001.htm>
More information about the bind-users
mailing list