The three servers were replaced in the same exact way they were already running
including the same configuration file and all of the IP filtering, etc is the
same as they are the same IP addresses.
I did notice that for whatever reason Bind on EL9 seems to require this:
include "/etc/crypto-policies/back-ends/bind.config";
and it didn't previously.
Is there a way to kick off a test download of that key? I tried this: rndc
managed-keys refresh it didn't actually seem to do anything.
Is there a way to figure out which of the things it was trying to use to get
the keys before? UDP53 TCP53 ICMP [v4|v6}?
I just expected the service not to start if its missing the DNSSEC keys.
Thanks,
-Drew
-----Original Message-----
From: Mark Andrews <ma...@isc.org>
Sent: Wednesday, October 30, 2024 4:46 PM
To: Drew Weaver <drew.wea...@thenap.com>
Cc: bind-users@lists.isc.org
Subject: Re: 3 new servers couldn't download the key for '.' and there really
wasn't any indication
So you didn’t the log message produced by this?
dnssec_log(zone, ISC_LOG_WARNING,
"Unable to fetch DNSKEY set '%s': %s", namebuf,
isc_result_totext(eresult));
And if the forwarder is stripping RRSIGs. Forwarders need to support DNSSEC.
dnssec_log(zone, ISC_LOG_WARNING,
"No DNSKEY RRSIGs found for '%s': %s", namebuf,
isc_result_totext(eresult));
Things will likely fail if you link to the world is broken or is not allowing
DNS over both UDP and TCP or is filtering fragments (check both IPv4 and IPv6)
or is blocking ICMP or ICMPv6.
Mark
> On 31 Oct 2024, at 00:36, Drew Weaver <drew.wea...@thenap.com> wrote:
>
> Hello,
> We recently replaced 3 BIND 9 servers with newer ones.
> For whatever reason during the initial setup process the 3 servers all
> failed to download the dnssec key for ‘.’ And there was no indication
> whatsoever that this failed.
> I would propose that if the server is configured as a caching nameserver
> that if it cannot download the key the service shouldn’t start at all or
> there should be some very forceful indication that it didn’t work.
> Also does anyone know under what conditions that process fails?
> I’d like to avoid this in the future.
> Thanks,
> -Drew
> --
> Visit
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mai
> lman_listinfo_bind-2Dusers&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_
> CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=HvpqIUyEt0
> dxiHnUKy40KC9yDr45iIe_djSwVGaLn930M0FEJ9al_tZS-XCsihQr&s=axTYukN0qenc_
> PnoXUGK3XyjuXbJtR0KaXRcxPuh41o&e= to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.isc.org_contact_&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=HvpqIUyEt0dxiHnUKy40KC9yDr45iIe_djSwVGaLn930M0FEJ9al_tZS-XCsihQr&s=dwSWLdRRtNjY9Wnq7jlJOkJK3fHnE3outBg88sZTew4&e=
> for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mai
> lman_listinfo_bind-2Dusers&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_
> CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=HvpqIUyEt0
> dxiHnUKy40KC9yDr45iIe_djSwVGaLn930M0FEJ9al_tZS-XCsihQr&s=axTYukN0qenc_
> PnoXUGK3XyjuXbJtR0KaXRcxPuh41o&e=
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
