I've always recommended either a cache flush or a complete restart of named after turning on DNSSEC.
I thought I opened a ticket about this, but probably not. AlanC On 6/24/15 3:46 AM, frnk...@iname.com wrote: > Ding-ding-ding -- issuing "rndc flushname ." did the trick, Mark. > > I'd encourage this troubleshooting tip to be documented in one of those > how-to guides. I don't think waiting for a TTL is a good idea if most > queries are failing with "bad cache hit". > > Frank > > -----Original Message----- > From: Mark Andrews [mailto:ma...@isc.org] > Sent: Tuesday, June 23, 2015 11:03 PM > To: Frank Bulk > Cc: bind-us...@isc.org > Subject: Re: DNSSEC validation on 9.7.4 not working > > > I suspect that the DNSKEY record for the root will be marked as a > 'answer' rather than 'secure' (rndc dumpdb) and flushing the cache > will fix the issue as will waiting ~30703 seconds. 'rndc flushname .' > should also work though I forget where we added flushname. > > Mark > > In message <005701d0ae2f$ef2798f0$cd76cad0$@iname.com>, "Frank Bulk" writes: >> Here you go: >> >> root@nagios:/etc/bind# dig @127.0.0.1 +dnssec +cd ds com; dig @127.0.0.1 >> +dnssec +cd dnskey . >> >> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +dnssec +cd ds com >> ; (1 server found) >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38536 >> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 4096 >> ;; QUESTION SECTION: >> ;com. IN DS >> >> ;; ANSWER SECTION: >> com. 86400 IN DS 30909 8 2 >> E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 >> com. 86400 IN RRSIG DS 8 1 86400 > 20150703170000 >> 20150623160000 48613 . >> ioJ6KyZ9ig0PsFBdo5jfM/9hLEX9qn06QaitkJubhcH3m/DPBi2o9xTu >> Cs9Aabwm/tSlGc+JVc3oBVSwv6LakHUY9v7aJn77pD244tnnlgNeR+z4 >> kkZSn1Kp5tHmhKx8sNYe8Fe9rTA/9hC+3IokE949ppf+3CEyjJ4uhJhm lN0= >> >> ;; Query time: 54 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Tue Jun 23 22:41:31 2015 >> ;; MSG SIZE rcvd: 239 >> >> >> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +dnssec +cd dnskey . >> ; (1 server found) >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11727 >> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 4096 >> ;; QUESTION SECTION: >> ;. IN DNSKEY >> >> ;; ANSWER SECTION: >> . 30703 IN DNSKEY 256 3 8 >> AwEAAZyIkCwEYeG29NV+4cOdKE4DPng/4BqJeoOhKqzJbl+LR33TPWsr >> wBRfmAi9wvR/Qc6IV4MFMXjmkclXns+atIQZ9uQV3YAvKv/cVuO7Mneu >> MssIQixaMw+jp73R7zIUNMbLBgJRQXI57Rl+pvXBAkgHndVwv+aJkf7y GEuE9Dtj >> . 30703 IN DNSKEY 256 3 8 >> AwEAAa67bQck1JjopOOFc+iMISFcp/osWrEst2wbKbuQSUWu77QC9UHL >> ipiHgWN7JlqVAEjKITZz49hhkLmOpmLK55pTq+RD2kwoyNWk9cvpc+tS >> nIxT7i93O+3oVeLYjMWrkDAz7K45rObbHDuSBwYZKrcSIUCZnCpNMUtn PFl/04cb >> . 30703 IN DNSKEY 257 3 8 >> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF >> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX >> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD >> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz >> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS >> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= >> . 30703 IN RRSIG DNSKEY 8 0 172800 >> 20150705235959 20150620000000 19036 . >> W6ZIOh5tJ1ph3C0c9Fqot+55jCewbk/cWRquGOeRnWkag7rx/XgsEfvd >> HLr1HsSIlag+lt1OvTlsLgvVk/yUcOAZA/NvMRPbFfbyrEi82YpZ70Z2 >> B995qkT7dCf/3uBynAzubAPshUfEi7LuBy9bzyYPMvtRZptEnBz3xsAf >> 4gmrRTX0BW66ve2xqvitZrPVH2WaYR70iJbJWbKKDCPl9rwEcit95gyi >> CNQLOIPFq2XgHDmo01Pr4evPbSowny6kNXzuDHgKQn1+BWX5zhbr74OE >> 3FZXo2DUXm8BA5OhMY0bMg32kjzQLu+lxBWpaXabjFoALNFG4WRRdx1s 4+Wuhg== >> >> ;; Query time: 0 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Tue Jun 23 22:41:31 2015 >> ;; MSG SIZE rcvd: 883 >> >> root@nagios:/etc/bind# date -u >> Wed Jun 24 03:41:52 UTC 2015 >> root@nagios:/etc/bind# >> >> Frank >> >> -----Original Message----- >> From: Mark Andrews [mailto:ma...@isc.org] >> Sent: Tuesday, June 23, 2015 10:31 PM >> To: Frank Bulk <frnk...@iname.com> >> Cc: bind-us...@isc.org >> Subject: Re: DNSSEC validation on 9.7.4 not working >> >> >> Should have asked for +dnssec on those queries. Also "date -u". >> >> >> In message <005601d0ae2c$b698b6c0$23ca2440$@iname.com>, "Frank Bulk" > writes: >>> Mark, >>> >>> Sorry for top-posting -- my email client makes it difficult to do >> otherwise. >>> >>> Yes, I'm absolutely sure there's no software or physical firewall (we're >> an >>> ISP), and there's also no load-balancer in front of this box. I've also >>> used the EDNS tests and I can get a 4000+ byte response. There's also > no >>> forwarder configured. >>> >>> Here's the requested output: >>> >>> >>> root@nagios:/etc/bind# dig @127.0.0.1 +cd ds com; dig @127.0.0.1 +cd >> dnskey >>> . >>> >>> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd ds com >>> ; (1 server found) >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55498 >>> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 >>> >>> ;; QUESTION SECTION: >>> ;com. IN DS >>> >>> ;; ANSWER SECTION: >>> com. 86400 IN DS 30909 8 2 >>> E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 >>> >>> ;; Query time: 17 msec >>> ;; SERVER: 127.0.0.1#53(127.0.0.1) >>> ;; WHEN: Tue Jun 23 22:17:58 2015 >>> ;; MSG SIZE rcvd: 69 >>> >>> ;; Truncated, retrying in TCP mode. >>> >>> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd dnskey . >>> ; (1 server found) >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25167 >>> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 >>> >>> ;; QUESTION SECTION: >>> ;. IN DNSKEY >>> >>> ;; ANSWER SECTION: >>> . 32115 IN DNSKEY 256 3 8 >>> AwEAAa67bQck1JjopOOFc+iMISFcp/osWrEst2wbKbuQSUWu77QC9UHL >>> ipiHgWN7JlqVAEjKITZz49hhkLmOpmLK55pTq+RD2kwoyNWk9cvpc+tS >>> nIxT7i93O+3oVeLYjMWrkDAz7K45rObbHDuSBwYZKrcSIUCZnCpNMUtn PFl/04cb >>> . 32115 IN DNSKEY 257 3 8 >>> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF >>> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX >>> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD >>> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz >>> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS >>> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= >>> . 32115 IN DNSKEY 256 3 8 >>> AwEAAZyIkCwEYeG29NV+4cOdKE4DPng/4BqJeoOhKqzJbl+LR33TPWsr >>> wBRfmAi9wvR/Qc6IV4MFMXjmkclXns+atIQZ9uQV3YAvKv/cVuO7Mneu >>> MssIQixaMw+jp73R7zIUNMbLBgJRQXI57Rl+pvXBAkgHndVwv+aJkf7y GEuE9Dtj >>> >>> ;; Query time: 0 msec >>> ;; SERVER: 127.0.0.1#53(127.0.0.1) >>> ;; WHEN: Tue Jun 23 22:17:59 2015 >>> ;; MSG SIZE rcvd: 586 >>> >>> >>> Frank >>> >>> >>> -----Original Message----- >>> From: Mark Andrews [mailto:ma...@isc.org] >>> Sent: Tuesday, June 23, 2015 10:11 PM >>> To: Frank Bulk <frnk...@iname.com> >>> Cc: bind-us...@isc.org >>> Subject: Re: DNSSEC validation on 9.7.4 not working >>> >>> >>> In message <003d01d0ae24$682fc080$388f4180$@iname.com>, "Frank Bulk" >> writes: >>>> I'm running BIND 9.7.3 on Debian and having trouble configuring DNSSEC >>>> validation. >>>> >>>> I'm using the excellent guides at >>>> >>> >> > http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#easy-start-guide- >>>> for-recursive-servers and >>>> >>> >> > https://www.surf.nl/binaries/content/assets/surf/en/knowledgebase/2012/rappo >>>> rt_Deploying_DNSSEC_v20.pdf and http://dnssec.vs.uni-due.de/ which >> provide >>>> 9.7.x configuration instructions and so I'm feeling a bit slow that I >>> can't >>>> make this work. >>>> >>>> I'm have a copy of bind.keys from >>>> https://www.isc.org/downloads/bind/bind-keys/ in /etc/bind/ >>>> >>>> This statement in /etc/bind/bind.conf: >>>> >>>> managed-keys { >>>> "." initial-key 257 3 8 >>>> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF >>>> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX >>>> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD >>>> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz >>>> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS >>>> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq > QxA+Uk1ihz0="; >>>> }; >>>> >>>> and the following in /etc/bind/bind.conf.options: >>>> >>>> options { >>>> <snip> >>>> dnssec-enable yes; >>>> dnssec-validation yes; >>>> <snip> >>>> } >>>> >>>> But when I issue "rdnc reconifg" I immediately get repeated log lines >>> about >>>> the following and then similar statements for each domains: >>>> >>>> 23-Jun-2015 20:43:47.402 dnssec: info: validating @0x7fcec948ce40: > com >>> DS: >>>> no valid signature found >>>> 23-Jun-2015 20:43:47.402 dnssec: info: validating @0x7fcec8c41bf0: > com >>> DS: >>>> no valid signature found >>>> 23-Jun-2015 20:43:47.438 dnssec: info: validating @0x7fcec8c39b80: . > NS: >>> no >>>> valid signature found >>>> <snip> >>>> 23-Jun-2015 20:43:48.750 dnssec: info: validating @0x7fced04fd9e0: . > NS: >>> no >>>> valid signature found >>>> 23-Jun-2015 20:43:48.754 dnssec: info: validating @0x7fcee55996a0: >>>> a1075.dscg.akamai.net AAAA: bad cache hit (net/DS) >>>> 23-Jun-2015 20:43:48.757 dnssec: info: validating @0x7fceca621970: >>>> wwwp.wip.rackspace.com AAAA: bad cache hit (com/DS) >>>> 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fceca621970: >>>> a1526.dscg.akamai.net AAAA: bad cache hit (net/DS) >>>> 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fced04fd9e0: >>>> a1784.dscg.akamai.net AAAA: bad cache hit (net/DS) >>>> 23-Jun-2015 20:43:48.761 dnssec: info: validating @0x7fced04fd9e0: >>>> e1181.dscb.akamaiedge.net AAAA: bad cache hit (net/DS) >>>> >>>> Of course, once the TLDs aren't considered valid everything goes > south. >> >>>> >>>> What am I doing wrong? >>>> >>>> Regards, >>>> >>>> Frank Bulk >>> >>> Are you sure that there isn't a firewall that is block RRSIGs getting >>> through or that you aren't using a forwarder that isn't also >>> validating. These sorts of messages come when named is forced back >>> to plain DNS to get a response. >>> >>> What do "dig +cd ds com" and "dig +cd dnskey ." return. >>> >>> Mark >>> >>>> _______________________________________________ >>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from >>>> this list >>>> >>>> bind-users mailing list >>>> bind-users@lists.isc.org >>>> https://lists.isc.org/mailman/listinfo/bind-users >>> -- >>> Mark Andrews, ISC >>> 1 Seymour St., Dundas Valley, NSW 2117, Australia >>> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >>> >>> >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >> >>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
