Re: FC34 broke my bind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

    # host google.com <http://google.com> 127.0.0.1
    Using domain server:
    Name: 127.0.0.1
    Address: 127.0.0.1#53
    Aliases:

    Host google.com <http://google.com> not found: 2(SERVFAIL)
    [root@rn6 etc]# systemctl status named-chroot.service
    ● named-chroot.service - Berkeley Internet Name Domain (DNS)
    ...
    Jun 13 01:40:05 rn6.abc.local named[32171]: broken trust chain
    resolving
'google.com/A/IN <http://google.com/A/IN>': 208.67.220.220#53 
    Found in /var/log/messages:

    Jun 13 01:43:12 rn6 named[32171]: validating google.com/A
    <http://google.com/A>: bad cache hit
    (com/DS)
    Jun 13 01:43:12 rn6 named[32171]: broken trust chain resolving
    'google.com/A/IN <http://google.com/A/IN>': 208.67.220.220#53


    I added this to named.conf, options block:
            dnssec-validation no;

    and it fixed it.

    How do I fix it without  dnssec-validation no; ?

    -T


On 6/14/21 7:36 AM, Petr Mensik wrote:
dnssec-validation yes; should work, ensure include "/etc/named.root.key"; is in named.conf too. dnssec-validation auto; would work even without it. 

It requires your forwarders to supply DNSSEC records. Check with:
dig @$IP +dnssec com ds

Or with validation:
delv @$IP com ds
Replace $IP with any IP you want to check, be it localhost, or OpenDNS servers. Should be recursive.
It has to include RRSIG also. All serious resolvers always include DNSSEC records.
You can use "rndc flushtree com" to flush that name from the cache. It should work after another query. If it happens again try changing forwarder servers to different set. 

Cheers,
Petr



Hi Petr,

That fixed it.  I was missing the named.root.key.

Thank you!

-T

Open DNS's family friendly DNS server

$ delv @208.67.222.123 com ds
; fully validated
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux