Description of problem:
When a bind server is configured as a caching nameserver, with "dnssec-validation" enabled, queries will intermittently fail. These are visible in the logs as the following:
<DATE> <TIME> error (no valid RRSIG) resolving '<domain>/DS/IN': <IP>#53
This seems to occur most frequently for CNAME records to content-delivery network implementations. A cache flush is necessary to allow the query to be retried and succeed.
Version-Release number of selected component (if applicable):
bind-9.8.2-0.47.rc1.el6_8.3
How reproducible:
Difficult - Only observed in highly utilized end customer environments
Steps to Reproduce:
1. Setup bind as a caching nameserver with "dnssec-validation yes;"
2. Issue queries to the server until the above "no valid RRSIG" is observed
3.
Actual results:
The query fails until a "rndc flush" is issued on the server
Expected results:
The response returns as expected
Additional info:
Seems to be a manifestation of:
3376. [bug] Lack of EDNS support was being recorded without a
successful response. [RT #30811]
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:1866