I will repeat what I said before when you logged this as a bug. Stop using look aside validation. The service has been turned off for 7 years now. The only thing there is a empty zone that is returning NXDOMAIN for every lookup other than the apex which only has SOA, NS, NSEC and RRSIG records. There are no DLV records there to lookup.
https://kb.isc.org/docs/disable-dnssec-lookaside-dlv-now-heres-how Also I am not going to ask operations what happened 2 weeks ago to cause the signature to be momentarily bad. Mark > On 19 Aug 2024, at 10:51, 秋林峻祐 <jst...@d2c.co.jp> wrote: > > This will be my first email. Sorry for any rough edges. > ISSUE:: I am using a DNS server in Japan. The DNS server failed to resolve > the domain name on August 2, 2024. It automatically recovered after a while. > The following message was recorded in the logs > I want to know why I suddenly can't resolve names. > logs:: > log1: validating @0xXXXXXXXXXXXXXXXX: dlv.isc.org DNSKEY: verify failed due > to bad signature (keyid=xxxxxxx): RRSIG has expired > log2: validating @0xXXXXXXXXXXXXXXXX: domain.example.com A: bad cache hit > (domain.example.com.dlv.isc.org/DLV) > timestamp:: Failure date: 2024.08.02 00:39:30 (JST) Failure recovery date: > 2024.08.02 05:06:06 (JST) > env:: CentOS release 6.4 (Final) BIND version: > bind-9.8.2-0.68.rc1.el6_10.8.x86_64 Execution user: /group:root / named > Considerations:: There were no other physical or internal OS failures. From > the fact that the recovery was automatic, I am guessing that there was a > failure or maintenance in the dlv repository for verification. If you have > any other information related to the cause of the problem, we would > appreciate it if you could share it with us. > Discussion:: > I know that “Look aside validation” has already been discontinued, but I have > a question to isolate the cause. > I would like to know why “Look aside validation” has already been > discontinued, yet the system usually operates without problems. > There were no other physical or internal OS failures. > The system recovered automatically. > I am guessing that it was caused by the dlv repository for validation. > If anyone has any other information relate > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
