At Wed, 25 Mar 2020 17:03:23 +0000 CentOS mailing list <centos@xxxxxxxxxx> wrote:
>
> Hi,
>
> � � � Anyone else had any issues with CentOS 6.10 bind DNS server issues
Yes. The installed ISC DLV key installed with
bind-9.8.2-0.68.rc1.el6_10.3.x86_64 seems to have expired and there does not
appear to be a new bind-9.8.2 RPM with a new key. I guess you can *manually*
fetch a new key (look in the installed /etc/named.iscdlv.key file)
OR
You can just disable dnssec, by commenting out these lines:
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
and restarting named.
> this afternoon.
>
> At 16:26 (GMT) had alerts for DNS failures against our CentOS 6.10 bind
> DNS servers
> from our monitoring system.
>
> Sure enough DNS requests via the server was failing, checking the
> named.log showed
> dnssec issues;
>
> 25-Mar-2020 16:26:10.285 dnssec: info: validating @0xb48b17c0:
> push.services.mozilla.com A: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.337 dnssec: info: validating @0xb4858cb0:
> push.services.mozilla.com AAAA: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb48b17c0:
> push.services.mozilla.com AAAA: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb4858cb0:
> push.services.mozilla.com A: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.359 dnssec: info: validating @0xb1ec0030:
> push.services.mozilla.com A: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.360 dnssec: info: validating @0xb462c430:
> push.services.mozilla.com AAAA: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb48b17c0:
> push.services.mozilla.com A: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb4858cb0:
> push.services.mozilla.com AAAA: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.451 dnssec: info: validating @0xb1ec0030:
> push.services.mozilla.com A: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.452 dnssec: info: validating @0xb462c430:
> push.services.mozilla.com AAAA: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb1ec0030:
> push.services.mozilla.com A: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb462c430:
> push.services.mozilla.com AAAA: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb1ec0030:
> push.services.mozilla.com AAAA: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb462c430:
> push.services.mozilla.com A: bad cache hit
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.898 dnssec: info: validating @0xb48b17c0:
> www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.899 dnssec: info: validating @0xb4858cb0:
> www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb1ec0030:
> www.national-lottery.co.uk A: bad cache hit
> (www.national-lottery.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb48b17c0:
> www.mirrorservice.org A: bad cache hit
> (www.mirrorservice.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb462c430:
> www.national-lottery.co.uk AAAA: bad cache hit
> (www.national-lottery.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.903 dnssec: info: validating @0xb48b17c0:
> www.mirrorservice.org AAAA: bad cache hit
> (www.mirrorservice.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.908 dnssec: info: validating @0xb1ec0030:
> www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.909 dnssec: info: validating @0xb462c430:
> www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.914 dnssec: info: validating @0xb48b17c0:
> www.mirrorservice.org A: bad cache hit
> (www.mirrorservice.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb4858cb0:
> www.mirrorservice.org AAAA: bad cache hit
> (www.mirrorservice.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb48b17c0:
> www.national-lottery.co.uk AAAA: bad cache hit
> (www.national-lottery.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.916 dnssec: info: validating @0xb48b17c0:
> www.national-lottery.co.uk A: bad cache hit
> (www.national-lottery.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb1ec0030:
> www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb48b17c0:
> www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb48b17c0:
> www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb4858cb0:
> www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb48b17c0:
> www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb4858cb0:
> www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb1ec0030:
> www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb462c430:
> www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.950 dnssec: info: validating @0xb48b17c0:
> www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.951 dnssec: info: validating @0xb4858cb0:
> www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb48b17c0:
> www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb4858cb0:
> www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:11.021 dnssec: info: validating @0xb1ec0030:
> uk.yahoo.com AAAA: bad cache hit (uk.yahoo.com.dlv.isc.org/DLV)
>
> Followed by;
>
> 25-Mar-2020 16:26:25.828 dnssec: info:� � validating @0xb48fdcd0:
> dlv.isc.org NSEC: verify failed due to bad signature (keyid=64263):
> RRSIG has expired
> 25-Mar-2020 16:26:25.828 dnssec: info:� � validating @0xb48fdcd0:
> dlv.isc.org NSEC: no valid signature found
>
> 25-Mar-2020 16:29:05.075 dnssec: info: validating @0xb473dc48:
> dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=19297):
> RRSIG has expired
> 25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48:
> dlv.isc.org DNSKEY: unable to find a DNSKEY which verifies the DNSKEY
> RRset and also matches a trusted key for 'dlv.isc.org'
> 25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48:
> dlv.isc.org DNSKEY: please check the 'trusted-keys' for 'dlv.isc.org' in
> named.conf.
>
> No issues with our CentOS 7.7.1908 bind DNS servers.
>
> To fix I had to set the following in /etc/named.conf and restart the
> named service.
>
> � � � � � � � dnssec-enable no;
> � � � � � � � dnssec-validation no;
>
> Anyone else had this issue?
> Is there and updated key that is needed in CentOS 6.10 version of bind
> so that I can turn dnssec back on.
>
> regards Tim
>
> Tim D'Cruz
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>
>
--
Robert Heller -- 978-544-6933 Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller@xxxxxxxxxxxx -- Webhosting Services
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
