Bug 1416035 - With DNSSEC validation enabled, client queries fail for domains periodically with "(no valid RRSIG)"
Summary: With DNSSEC validation enabled, client queries fail for domains periodically ...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: bind
Version: 6.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Petr Menšík
QA Contact: Andrej Dzilský
Depends On:
Blocks: 1374441 1461138 1494484
TreeView+ depends on / blocked
Reported: 2017-01-24 12:43 UTC by Kyle Walker
Modified: 2021-09-09 12:05 UTC (History)
7 users (show)

Fixed In Version: bind-9.8.2-0.67.rc1.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-06-19 05:10:38 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1866 0 None None None 2018-06-19 05:11:44 UTC

Description Kyle Walker 2017-01-24 12:43:20 UTC
Description of problem:
 When a bind server is configured as a caching nameserver, with "dnssec-validation" enabled, queries will intermittently fail. These are visible in the logs as the following:

	<DATE> <TIME> error (no valid RRSIG) resolving '<domain>/DS/IN': <IP>#53

This seems to occur most frequently for CNAME records to content-delivery network implementations. A cache flush is necessary to allow the query to be retried and succeed.

Version-Release number of selected component (if applicable):

How reproducible:
 Difficult - Only observed in highly utilized end customer environments

Steps to Reproduce:
1. Setup bind as a caching nameserver with "dnssec-validation yes;"
2. Issue queries to the server until the above "no valid RRSIG" is observed

Actual results:
 The query fails until a "rndc flush" is issued on the server

Expected results:
 The response returns as expected

Additional info:
 Seems to be a manifestation of:

    3376.   [bug]           Lack of EDNS support was being recorded without a
                            successful response. [RT #30811]

Comment 9 errata-xmlrpc 2018-06-19 05:10:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.