Since I switched over from Sparklight (DOCSIS MSP) to T-Mobile (5G) I've had a
world of hurt including timed out inbound and outbound connections, as well as
DNS failures:
Jan 5 16:10:39 OpenWrt2 named[21948]: validating global.dexcom.com/CNAME: no
valid signature found
Jan 5 16:10:39 OpenWrt2 named[21948]: validating global.dexcom.com/CNAME: no
valid signature found
Jan 5 16:10:40 OpenWrt2 named[21948]: validating
accounts-api.dexcom.com/CNAME: no valid signature found
Jan 5 16:10:40 OpenWrt2 named[21948]: validating
accounts-api.dexcom.com/CNAME: no valid signature found
Jan 5 16:10:41 OpenWrt2 named[21948]: validating dexcom.com/SOA: no valid
signature found
Jan 5 16:10:41 OpenWrt2 named[21948]: validating
0ps3e2esgssv8i3c82tuahqgb0c51d02.dexcom.com/NSEC3: no valid signature found
Jan 5 16:10:41 OpenWrt2 named[21948]: validating
mobile.share-us.dexcom.com/CNAME: no valid signature found
Jan 5 16:10:41 OpenWrt2 named[21948]: validating
mobile.share-us.dexcom.com/CNAME: no valid signature found
Jan 5 16:16:58 OpenWrt2 named[21948]: shut down hung fetch while resolving
0x7fb92cf82800(gsp-ssl.ls-apple.com.akadns.net/HTTPS)
Jan 5 16:16:58 OpenWrt2 named[21948]: shut down hung fetch while resolving
0x7fb92e513400(gsp-ssl.ls-apple.com.akadns.net/A)
Jan 5 16:19:06 OpenWrt2 named[21948]: shut down hung fetch while resolving
0x7fb92ee19400(mesu-cdn.origin-apple.com.akadns.net/HTTPS)
Jan 5 16:19:06 OpenWrt2 named[21948]: shut down hung fetch while resolving
0x7fb92ee1a800(mesu-cdn.origin-apple.com.akadns.net/A)
Jan 5 16:21:33 OpenWrt2 named[21948]: loop detected resolving
'evergreen.v6.afraid.org/A'
Jan 5 16:23:11 OpenWrt2 named[21948]: shut down hung fetch while resolving
0x7fb92d060800(self.events.data.microsoft.com/A)
Jan 5 16:23:11 OpenWrt2 named[21948]: shut down hung fetch while resolving
0x7fb9305a4000(self.events.data.microsoft.com/HTTPS)
And timeout messages about 127.0.0.1:53 ...
Anyone know what this is about or what the fix is (besides picking a better
carrier)?
My config is:
// This is the primary configuration file for the BIND DNS server named.
options {
// Default directory for ephemeral zones, long-lived zones
// can be stored under /var/lib/bind (aka /etc/bind/zones)
directory "/var/cache/bind";
// This is used e.g. by isc-dhcp
allow-new-zones yes;
disable-empty-zone 168.192.in-addr.arpa; // @@@ delete me
recursion yes;
// note that all subnets are visible to each other;
// if we wished to isolate them we could use "views".
allow-query {
localhost;
192.168.3.0/24;
};
auth-nxdomain no; # conform to RFC1035
allow-transfer { none; };
dnssec-validation auto;
listen-on-v6 { none; };
query-source-v6 none;
listen-on {
127.0.0.1;
192.168.3.1;
};
// hopefully we'll stop exhausting memory
max-cache-size 128M;
clients-per-query 50;
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
And I'm running:
BIND 9.20.15 (Stable Release) <id:0c0fcf7>
running on Linux x86_64 6.12.60 #0 SMP PREEMPT_RT Sat Dec 6 18:24:04 2025
built by make with '--target=x86_64-openwrt-linux'
'--host=x86_64-openwrt-linux' '--build=x86_64-pc-linux-gnu'
'--disable-dependency-tracking' '--program-prefix=' '--program-suffix='
'--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--libexecdir=/usr/lib' '--sysconfdir=/etc' '--datadir=/usr/share'
'--localstatedir=/var' '--mandir=/usr/man' '--infodir=/usr/info'
'--disable-geoip'
'--with-openssl=/home/philipp/lede/staging_dir/target-x86_64_musl/usr'
'--without-lmdb' '--without-readline' '--sysconfdir=/etc/bind'
'--with-json-c=no' '--with-libxml2=yes' '--with-jemalloc=yes' '--disable-doh'
'--without-gssapi' 'build_alias=x86_64-pc-linux-gnu'
'host_alias=x86_64-openwrt-linux' 'target_alias=x86_64-openwrt-linux'
'CC=x86_64-openwrt-linux-musl-gcc' 'CFLAGS=-Os -pipe -g3 -fno-caller-saves
-fno-plt -fhonour-copts
-fmacro-prefix-map=/home/philipp/lede/build_dir/target-x86_64_musl/bind-9.20.15=bind-9.20.15
-Wformat -Werror=format-security -fstack-protector -D_FORT
IFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -Wl,-z,pack-relative-relocs '
'LDFLAGS=-L/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-14.3.0_musl/usr/lib
-L/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-14.3.0_musl/lib
-fuse-ld=bfd -znow -zrelro -zpack-relative-relocs
-Wl,--gc-sections,--as-needed
-Wl,-rpath-link,/home/philipp/lede/build_dir/target-x86_64_musl/bind-9.20.15/lib/ns/.libs
'
'CPPFLAGS=-I/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-14.3.0_musl/usr/include
-I/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-14.3.0_musl/include
-I/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-14.3.0_musl/include/fortify
' 'PKG_CONFIG=/home/philipp/lede/staging_dir/host/bin/pkg-config'
'PKG_CONFIG_PATH=/home/philipp/lede/staging_dir/target-x86_64_musl/usr/lib/pkgconfig:/home/philipp/lede/staging_dir/target-x86_64_musl/usr/share/pkgconfig'
'PKG_CONFIG_LIBDIR=/home/philipp/lede/staging_dir/target-x86_64_musl/usr/lib/pkgconfig:/home/philipp/lede/staging_dir/target-x86_64_m
usl/usr/share/pkgconfig'
compiled by GCC 14.3.0
compiled with OpenSSL version: OpenSSL 3.5.4 30 Sep 2025
linked to OpenSSL version: OpenSSL 3.5.4 30 Sep 2025
compiled with libuv version: 1.48.0
linked to libuv version: 1.48.0
compiled with liburcu version: 0.15.5
compiled with jemalloc version: 0.0.0
compiled with libxml2 version: 2.15.1
linked to libxml2 version: 21501
compiled with zlib version: 1.3.1
linked to zlib version: 1.3.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256
ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384
HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): no
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
