Bug 651205 - DNSSEC seems to stop working after a while
DNSSEC seems to stop working after a while
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
14
Unspecified Unspecified
low Severity medium
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-08 19:21 EST by Tom Hughes
Modified: 2013-04-30 19:47 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-20 06:44:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tom Hughes 2010-11-08 19:21:58 EST
Description of problem:

If DNSSEC is enabled in named.conf then after a while - the exact time seems to vary from a few hours to a few days - it will decide there is something wrong with the .org keys and refuse to accept any more .org domains until named is restarted.

Here is the log extract from the latest failure:

Nov  9 00:03:13 bericote named[6465]: validating @0x7f6d5c124c50: org DNSKEY: got insecure response; parent indicates it should be secure
Nov  9 00:03:13 bericote named[6465]: error (insecurity proof failed) resolving 'org/DNSKEY/IN': 172.16.15.1#53
Nov  9 00:03:13 bericote named[6465]:   validating @0x7f6d5c03aa50: c22avq2gecsqdaq173nke8obsma70duc.org NSEC3: bad cache hit (org/DNSKEY)
Nov  9 00:03:13 bericote named[6465]:   validating @0x7f6d5c03aa50: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3: bad cache hit (org/DNSKEY)
Nov  9 00:03:13 bericote named[6465]: error (broken trust chain) resolving 'ideatorrent.org/DS/IN': 172.16.15.1#53
Nov  9 00:03:13 bericote named[6465]: error (no valid DS) resolving 'www.ideatorrent.org/A/IN': 172.16.15.1#53
Nov  9 00:03:13 bericote named[6465]: validating @0x7f6d5c0f90c0: www.ideatorrent.org AAAA: bad cache hit (ideatorrent.org/DS)
Nov  9 00:03:13 bericote named[6465]: error (broken trust chain) resolving 'www.ideatorrent.org/AAAA/IN': 172.16.15.1#53

The upstream nameserver (172.16.15.1) is still happily resolving .org domains and not complaining of any key problems.

Version-Release number of selected component (if applicable):

bind-9.7.2-2.P2.fc14.i686

How reproducible:

Every time - the only thing that varies is how long it takes to trigger.

Steps to Reproduce:
1. Enable DNSSEC
2. Wait a while
3. All .org domains stop resolving
  
Actual results:

Something goes wrong with DNSSEC key management and domains stop resolving.

Expected results:

Keys are managed correctly and domains continue to resolve.

Additional info:

This is not new in F14, it has been happening ever since DNSSEC was introduced and with every Fedora release I try enabling it again and find it is no better and wind up having to disable it again.
Comment 1 Adam Tkac 2010-12-02 06:08:13 EST
Can you verify if this issue is still present with the latest bind-9.7.2-4.P3.fc14 (https://bugzilla.redhat.com/show_bug.cgi?id=658987#c3), please? Thank you in advance.
Comment 2 Tom Hughes 2010-12-18 12:16:35 EST
I've been running that version for a couple of weeks now and the problem does not seem to have recurred so I think we can probably call it fixed.
Comment 3 Adam Tkac 2010-12-20 06:44:44 EST
Thanks for feedback, closing. If you hit this issue again, please reopen the bug report.

Note You need to log in before you can comment on or make changes to this bug.