dnssec-validation yes; should work, ensure include "/etc/named.root.key";
is in named.conf too. dnssec-validation auto; would work even without it.
It requires your forwarders to supply DNSSEC records. Check with:
dig @$IP +dnssec com ds
Or with validation:
delv @$IP com ds
Replace $IP with any IP you want to check, be it localhost, or OpenDNS
servers. Should be recursive.
It has to include RRSIG also. All serious resolvers always include DNSSEC
records.
You can use "rndc flushtree com" to flush that name from the cache. It
should work after another query. If it happens again try changing forwarder
servers to different set.
Cheers,
Petr
On Sun, Jun 13, 2021 at 10:52 AM ToddAndMargo via users <
users@lists.fedoraproject.org> wrote:
> On 6/13/21 1:29 AM, ToddAndMargo via users wrote:
> > On 6/12/21 11:39 PM, ToddAndMargo via users wrote:
> >> Oh poop! Figured it out!
> >>
> >> # systemctl status named-chroot.service
> >> ● named-chroot.service - Berkeley Internet Name Domain (DNS)
> >> Loaded: loaded (/usr/lib/systemd/system/named-chroot.service;
> >> enabled; vendor preset: disabled)
> >> Active: active (running) since Sat 2021-06-12 14:49:05 PDT; 8h ago
> >> Process: 11410 ExecStartPre=/bin/bash -c if [ !
> >> "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t
> >> /var/named/chroot -z "$NAMEDCONF"; else echo "Checki>
> >> Process: 11446 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF}
> >> -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
> >> Main PID: 11452 (named)
> >> Tasks: 14 (limit: 19025)
> >> Memory: 141.5M
> >> CPU: 14.612s
> >> CGroup: /system.slice/named-chroot.service
> >> └─11452 /usr/sbin/named -u named -c /etc/named.conf -t
> >> /var/named/chroot
> >>
> >>
> >>
> >> I was starting the wrong named !!!!!!!
> >>
> >> # systemctl disable daemon_name.service
> >> Fixed the problem
> >>
> >> Freaking FC34 upgrade disabled named-chroot on me!
> >>
> >> Sorry for putting your guys through all this. Thank
> >> you all for the tips!
> >>
> >> -T
> > Okay, now I am REALLY confused!!!
> >
> >
> > # host 8.8.8.8 127.0.0.1
> > Using domain server:
> > Name: 127.0.0.1
> > Address: 127.0.0.1#53
> > Aliases:
> >
> > Host 8.8.8.8.in-addr.arpa not found: 2(SERVFAIL)
> >
> >
> >
> > This is my /etc/resolv.conf (same as in FC33):
> >
> > # cat /etc/resolv.conf
> >
> > # Generated by NetworkManager
> > search abc.local
> > nameserver 127.0.0.1
> > # nameserver 8.8.8.8
> >
> > Now what ?!?!?!
>
>
> A workaround i at the bottom
>
>
> # host google.com 127.0.0.1
> Using domain server:
> Name: 127.0.0.1
> Address: 127.0.0.1#53
> Aliases:
>
> Host google.com not found: 2(SERVFAIL)
> [root@rn6 etc]# systemctl status named-chroot.service
> ● named-chroot.service - Berkeley Internet Name Domain (DNS)
> Loaded: loaded (/usr/lib/systemd/system/named-chroot.service;
> enabled; vendor preset: disabled)
> Active: active (running) since Sun 2021-06-13 01:39:12 PDT; 1min
> 12s ago
> Process: 32167 ExecStartPre=/bin/bash -c if [ !
> "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t
> /var/named/chroot -z "$NAMEDCONF"; else echo "Checki>
> Process: 32170 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF}
> -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
> Main PID: 32171 (named)
> Tasks: 14 (limit: 19025)
> Memory: 97.2M
> CPU: 180ms
> CGroup: /system.slice/named-chroot.service
> └─32171 /usr/sbin/named -u named -c /etc/named.conf -t
> /var/named/chroot
>
> Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable
> resolving 'com/DS/IN': 2001:503:c27::2:30#53
> Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable
> resolving 'com/DS/IN': 2001:500:1::53#53
> Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable
> resolving 'com/DS/IN': 2001:500:2::c#53
> Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable
> resolving 'com/DS/IN': 2001:500:200::b#53
> Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable
> resolving 'com/DS/IN': 2001:500:12::d0d#53
> Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable
> resolving 'com/DS/IN': 2001:500:9f::42#53
> Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable
> resolving 'com/DS/IN': 2001:7fd::1#53
> Jun 13 01:40:05 rn6.abc.local named[32171]: validating com/DS: no valid
> signature found
> Jun 13 01:40:05 rn6.abc.local named[32171]: no valid RRSIG resolving
> 'com/DS/IN': 192.36.148.17#53
> Jun 13 01:40:05 rn6.abc.local named[32171]: broken trust chain resolving
> 'google.com/A/IN': 208.67.220.220#53
>
>
> Found in /var/log/messages:
>
> Jun 13 01:43:12 rn6 named[32171]: validating google.com/A: bad cache hit
> (com/DS)
> Jun 13 01:43:12 rn6 named[32171]: broken trust chain resolving
> 'google.com/A/IN': 208.67.220.220#53
>
>
> I added this to named.conf, options block:
> dnssec-validation no;
>
> and it fixed it.
>
> How do I fix it without dnssec-validation no; ?
>
> -T
>
> # host google.com 127.0.0.1
> Using domain server:
> Name: 127.0.0.1
> Address: 127.0.0.1#53
> Aliases:
>
> google.com has address 172.217.6.78
> google.com has IPv6 address 2607:f8b0:4005:80a::200e
> google.com mail is handled by 10 aspmx.l.google.com.
> google.com mail is handled by 50 alt4.aspmx.l.google.com.
> google.com mail is handled by 40 alt3.aspmx.l.google.com.
> google.com mail is handled by 20 alt1.aspmx.l.google.com.
> google.com mail is handled by 30 alt2.aspmx.l.google.com.
>
> _______________________________________________
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
--
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com PGP: 65C6C973
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
