Red Hat Bugzilla – Bug 651205
DNSSEC seems to stop working after a while
Last modified: 2013-04-30 19:47:55 EDT
Description of problem:
If DNSSEC is enabled in named.conf then after a while - the exact time seems to vary from a few hours to a few days - it will decide there is something wrong with the .org keys and refuse to accept any more .org domains until named is restarted.
Here is the log extract from the latest failure:
Nov 9 00:03:13 bericote named: validating @0x7f6d5c124c50: org DNSKEY: got insecure response; parent indicates it should be secure
Nov 9 00:03:13 bericote named: error (insecurity proof failed) resolving 'org/DNSKEY/IN': 172.16.15.1#53
Nov 9 00:03:13 bericote named: validating @0x7f6d5c03aa50: c22avq2gecsqdaq173nke8obsma70duc.org NSEC3: bad cache hit (org/DNSKEY)
Nov 9 00:03:13 bericote named: validating @0x7f6d5c03aa50: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3: bad cache hit (org/DNSKEY)
Nov 9 00:03:13 bericote named: error (broken trust chain) resolving 'ideatorrent.org/DS/IN': 172.16.15.1#53
Nov 9 00:03:13 bericote named: error (no valid DS) resolving 'www.ideatorrent.org/A/IN': 172.16.15.1#53
Nov 9 00:03:13 bericote named: validating @0x7f6d5c0f90c0: www.ideatorrent.org AAAA: bad cache hit (ideatorrent.org/DS)
Nov 9 00:03:13 bericote named: error (broken trust chain) resolving 'www.ideatorrent.org/AAAA/IN': 172.16.15.1#53
The upstream nameserver (172.16.15.1) is still happily resolving .org domains and not complaining of any key problems.
Version-Release number of selected component (if applicable):
Every time - the only thing that varies is how long it takes to trigger.
Steps to Reproduce:
1. Enable DNSSEC
2. Wait a while
3. All .org domains stop resolving
Something goes wrong with DNSSEC key management and domains stop resolving.
Keys are managed correctly and domains continue to resolve.
This is not new in F14, it has been happening ever since DNSSEC was introduced and with every Fedora release I try enabling it again and find it is no better and wind up having to disable it again.
Can you verify if this issue is still present with the latest bind-9.7.2-4.P3.fc14 (https://bugzilla.redhat.com/show_bug.cgi?id=658987#c3), please? Thank you in advance.
I've been running that version for a couple of weeks now and the problem does not seem to have recurred so I think we can probably call it fixed.
Thanks for feedback, closing. If you hit this issue again, please reopen the bug report.