Bug 651205

Summary: DNSSEC seems to stop working after a while
Product: [Fedora] Fedora Reporter: Tom Hughes <tom>
Component: bindAssignee: Adam Tkac <atkac>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: atkac, ovasik
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-20 11:44:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tom Hughes 2010-11-09 00:21:58 UTC 
Description of problem:

If DNSSEC is enabled in named.conf then after a while - the exact time seems to vary from a few hours to a few days - it will decide there is something wrong with the .org keys and refuse to accept any more .org domains until named is restarted.

Here is the log extract from the latest failure:

Nov  9 00:03:13 bericote named[6465]: validating @0x7f6d5c124c50: org DNSKEY: got insecure response; parent indicates it should be secure
Nov  9 00:03:13 bericote named[6465]: error (insecurity proof failed) resolving 'org/DNSKEY/IN': 172.16.15.1#53
Nov  9 00:03:13 bericote named[6465]:   validating @0x7f6d5c03aa50: c22avq2gecsqdaq173nke8obsma70duc.org NSEC3: bad cache hit (org/DNSKEY)
Nov  9 00:03:13 bericote named[6465]:   validating @0x7f6d5c03aa50: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3: bad cache hit (org/DNSKEY)
Nov  9 00:03:13 bericote named[6465]: error (broken trust chain) resolving 'ideatorrent.org/DS/IN': 172.16.15.1#53
Nov  9 00:03:13 bericote named[6465]: error (no valid DS) resolving 'www.ideatorrent.org/A/IN': 172.16.15.1#53
Nov  9 00:03:13 bericote named[6465]: validating @0x7f6d5c0f90c0: www.ideatorrent.org AAAA: bad cache hit (ideatorrent.org/DS)
Nov  9 00:03:13 bericote named[6465]: error (broken trust chain) resolving 'www.ideatorrent.org/AAAA/IN': 172.16.15.1#53

The upstream nameserver (172.16.15.1) is still happily resolving .org domains and not complaining of any key problems.

Version-Release number of selected component (if applicable):

bind-9.7.2-2.P2.fc14.i686

How reproducible:

Every time - the only thing that varies is how long it takes to trigger.

Steps to Reproduce:
1. Enable DNSSEC
2. Wait a while
3. All .org domains stop resolving
  
Actual results:

Something goes wrong with DNSSEC key management and domains stop resolving.

Expected results:

Keys are managed correctly and domains continue to resolve.

Additional info:

This is not new in F14, it has been happening ever since DNSSEC was introduced and with every Fedora release I try enabling it again and find it is no better and wind up having to disable it again.
Comment 1 Adam Tkac 2010-12-02 11:08:13 UTC 
Can you verify if this issue is still present with the latest bind-9.7.2-4.P3.fc14 (https://bugzilla.redhat.com/show_bug.cgi?id=658987#c3), please? Thank you in advance.
Comment 2 Tom Hughes 2010-12-18 17:16:35 UTC 
I've been running that version for a couple of weeks now and the problem does not seem to have recurred so I think we can probably call it fixed.
Comment 3 Adam Tkac 2010-12-20 11:44:44 UTC 
Thanks for feedback, closing. If you hit this issue again, please reopen the bug report.