Bug 1416035

Summary: With DNSSEC validation enabled, client queries fail for domains periodically with "(no valid RRSIG)"
Product: Red Hat Enterprise Linux 6 Reporter: Kyle Walker <kwalker>
Component: bindAssignee: Petr Menšík <pemensik>
Status: CLOSED ERRATA QA Contact: Andrej Dzilský <adzilsky>
Severity: high Docs Contact:
Priority: high    
Version: 6.8CC: adzilsky, cww, hajek, jkurik, psklenar, tbowling, thozza
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: bind-9.8.2-0.67.rc1.el6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-19 05:10:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1374441, 1461138, 1494484    

Description Kyle Walker 2017-01-24 12:43:20 UTC 
Description of problem:
 When a bind server is configured as a caching nameserver, with "dnssec-validation" enabled, queries will intermittently fail. These are visible in the logs as the following:

	<DATE> <TIME> error (no valid RRSIG) resolving '<domain>/DS/IN': <IP>#53

This seems to occur most frequently for CNAME records to content-delivery network implementations. A cache flush is necessary to allow the query to be retried and succeed.


Version-Release number of selected component (if applicable):
 bind-9.8.2-0.47.rc1.el6_8.3


How reproducible:
 Difficult - Only observed in highly utilized end customer environments


Steps to Reproduce:
1. Setup bind as a caching nameserver with "dnssec-validation yes;"
2. Issue queries to the server until the above "no valid RRSIG" is observed
3. 


Actual results:
 The query fails until a "rndc flush" is issued on the server


Expected results:
 The response returns as expected


Additional info:
 Seems to be a manifestation of:

    3376.   [bug]           Lack of EDNS support was being recorded without a
                            successful response. [RT #30811]
Comment 9 errata-xmlrpc 2018-06-19 05:10:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1866