Dnssec issues
Nick Tait
nick at tait.net.nz
Thu Sep 22 20:09:07 UTC 2022
Hi Salma.While I haven't experienced your problem before, I do recall having 'issues' with DNSSEC when my router was acting as a caching DNS resolver.My suggestion is to check if you have an appliance 'helping' with DNS (e.g. between these servers and the Internet?) and if so try turning that function off to see if the problem goes away?Nick.
-------- Original message --------From: salma smaoui <salma.smaoui1 at outlook.fr> Date: 22/09/22 11:18 PM (GMT+12:00) To: bind-users at lists.isc.org Subject: Dnssec issues
Hello All,
We are facing some resolution problems on a CENTOS resolver that deploys bind 9.11.36-S1 with DNSSEC being activated.
The logs in 'default.logs' shows the current errors :
X-Sep-2022 10:34:29.348 dnssec: info: validating shalltry.com/SOA: bad cache hit (shalltry.com/DS)
X-Sep-2022 10:34:29.363 dnssec: info: validating osupdate2020.shalltry.com/A: bad cache hit (shalltry.com/DS)
X-Sep-2022 10:34:29.411 dnssec: info: validating static.cnews.fr/NSEC: no valid signature found
X-Sep-2022 10:34:29.445 dnssec: info: validating ocsp.comodoca.com.cdn.cloudflare.net/A: bad cache hit (cloudflare.net/DNSKEY)
X-Sep-2022 10:34:29.447 dnssec: info: validating cdn.jsdelivr.net.cdn.cloudflare.net/A: bad cache hit (cloudflare.net/DNSKEY)
X-Sep-2022 10:34:29.558 dnssec: info: validating oshola.shalltry.com/A: bad cache hit (shalltry.com/DS)
X-Sep-2022 10:34:29.567 dnssec: info: validating ds.shalltry.com/A: bad cache hit (shalltry.com/DS)
X-Sep-2022 10:34:29.570 dnssec: info: validating cdn.shalltry.com/A: bad cache hit (shalltry.com/DS)
Each night we noticed the occurence of a resolution problem (mini crisis) where requestes receive 'ServFail' for random domains, the maximum
recursive clients is also reached along with the appearance of the error in the logs being highly increased. Even known domain names like apple.com and google.com receive 'ServFail' when requested. Once flushing the cache, the situation gets back to normal
and bind starts functionning correctly.
In fact, by activating dnssec.log, we noticed these errors : 'no walidating signature found'.
When deactivating DNSSEC, we noticed that there are no more crisis for now.
Any possible explanation? Have anyone faced this problem before?
Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220923/0f473a53/attachment.htm>
More information about the bind-users
mailing list