thr3ads.net - CentOS - [CentOS] CentOS 6.10 bind DNSSEC issues [Mar 2020]

If this information is useful, please help other people find it:
Share via:

Support

2020-Mar-25 17:03 UTC

[CentOS] CentOS 6.10 bind DNSSEC issues

Hi,

 ??? Anyone else had any issues with CentOS 6.10 bind DNS server issues 
this afternoon.

At 16:26 (GMT) had alerts for DNS failures against our CentOS 6.10 bind 
DNS servers
from our monitoring system.

Sure enough DNS requests via the server was failing, checking the 
named.log showed
dnssec issues;

25-Mar-2020 16:26:10.285 dnssec: info: validating @0xb48b17c0: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.337 dnssec: info: validating @0xb4858cb0: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb48b17c0: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb4858cb0: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.359 dnssec: info: validating @0xb1ec0030: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.360 dnssec: info: validating @0xb462c430: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb48b17c0: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb4858cb0: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.451 dnssec: info: validating @0xb1ec0030: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.452 dnssec: info: validating @0xb462c430: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb1ec0030: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb462c430: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb1ec0030: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb462c430: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.898 dnssec: info: validating @0xb48b17c0: 
www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.899 dnssec: info: validating @0xb4858cb0: 
www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb1ec0030: 
www.national-lottery.co.uk A: bad cache hit 
(www.national-lottery.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb48b17c0: 
www.mirrorservice.org A: bad cache hit 
(www.mirrorservice.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb462c430: 
www.national-lottery.co.uk AAAA: bad cache hit 
(www.national-lottery.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.903 dnssec: info: validating @0xb48b17c0: 
www.mirrorservice.org AAAA: bad cache hit 
(www.mirrorservice.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.908 dnssec: info: validating @0xb1ec0030: 
www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.909 dnssec: info: validating @0xb462c430: 
www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.914 dnssec: info: validating @0xb48b17c0: 
www.mirrorservice.org A: bad cache hit 
(www.mirrorservice.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb4858cb0: 
www.mirrorservice.org AAAA: bad cache hit 
(www.mirrorservice.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb48b17c0: 
www.national-lottery.co.uk AAAA: bad cache hit 
(www.national-lottery.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.916 dnssec: info: validating @0xb48b17c0: 
www.national-lottery.co.uk A: bad cache hit 
(www.national-lottery.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb1ec0030: 
www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb48b17c0: 
www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb48b17c0: 
www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb4858cb0: 
www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb48b17c0: 
www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb4858cb0: 
www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb1ec0030: 
www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb462c430: 
www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.950 dnssec: info: validating @0xb48b17c0: 
www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.951 dnssec: info: validating @0xb4858cb0: 
www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb48b17c0: 
www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb4858cb0: 
www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:11.021 dnssec: info: validating @0xb1ec0030: 
uk.yahoo.com AAAA: bad cache hit (uk.yahoo.com.dlv.isc.org/DLV)

Followed by;

25-Mar-2020 16:26:25.828 dnssec: info:?? validating @0xb48fdcd0: 
dlv.isc.org NSEC: verify failed due to bad signature (keyid=64263): 
RRSIG has expired
25-Mar-2020 16:26:25.828 dnssec: info:?? validating @0xb48fdcd0: 
dlv.isc.org NSEC: no valid signature found

25-Mar-2020 16:29:05.075 dnssec: info: validating @0xb473dc48: 
dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=19297): 
RRSIG has expired
25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48: 
dlv.isc.org DNSKEY: unable to find a DNSKEY which verifies the DNSKEY 
RRset and also matches a trusted key for 'dlv.isc.org'
25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48: 
dlv.isc.org DNSKEY: please check the 'trusted-keys' for
'dlv.isc.org' in
named.conf.

No issues with our CentOS 7.7.1908 bind DNS servers.

To fix I had to set the following in /etc/named.conf and restart the 
named service.

 ??????? dnssec-enable no;
 ??????? dnssec-validation no;

Anyone else had this issue?
Is there and updated key that is needed in CentOS 6.10 version of bind 
so that I can turn dnssec back on.

regards Tim

Tim D'Cruz

Robert Heller

2020-Mar-25 17:35 UTC

head link

[CentOS] CentOS 6.10 bind DNSSEC issues

At Wed, 25 Mar 2020 17:03:23 +0000 CentOS mailing list <centos at
centos.org> wrote:
> 
> Hi,
> 
>  ???????????? Anyone else had any issues with CentOS 6.10 bind DNS server
issues
Yes.  The installed ISC DLV key installed with 
bind-9.8.2-0.68.rc1.el6_10.3.x86_64 seems to have expired and there does not 
appear to be a new bind-9.8.2 RPM with a new key.  I guess you can *manually* 
fetch a new key (look in the installed /etc/named.iscdlv.key file)

OR

You can just disable dnssec, by commenting out these lines:

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
                        
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
                
and restarting named.
> this afternoon.
> 
> At 16:26 (GMT) had alerts for DNS failures against our CentOS 6.10 bind 
> DNS servers
> from our monitoring system.
> 
> Sure enough DNS requests via the server was failing, checking the 
> named.log showed
> dnssec issues;
> 
> 25-Mar-2020 16:26:10.285 dnssec: info: validating @0xb48b17c0: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.337 dnssec: info: validating @0xb4858cb0: 
> push.services.mozilla.com AAAA: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb48b17c0: 
> push.services.mozilla.com AAAA: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb4858cb0: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.359 dnssec: info: validating @0xb1ec0030: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.360 dnssec: info: validating @0xb462c430: 
> push.services.mozilla.com AAAA: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb48b17c0: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb4858cb0: 
> push.services.mozilla.com AAAA: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.451 dnssec: info: validating @0xb1ec0030: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.452 dnssec: info: validating @0xb462c430: 
> push.services.mozilla.com AAAA: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb1ec0030: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb462c430: 
> push.services.mozilla.com AAAA: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb1ec0030: 
> push.services.mozilla.com AAAA: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb462c430: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.898 dnssec: info: validating @0xb48b17c0: 
> www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.899 dnssec: info: validating @0xb4858cb0: 
> www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb1ec0030: 
> www.national-lottery.co.uk A: bad cache hit 
> (www.national-lottery.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb48b17c0: 
> www.mirrorservice.org A: bad cache hit 
> (www.mirrorservice.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb462c430: 
> www.national-lottery.co.uk AAAA: bad cache hit 
> (www.national-lottery.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.903 dnssec: info: validating @0xb48b17c0: 
> www.mirrorservice.org AAAA: bad cache hit 
> (www.mirrorservice.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.908 dnssec: info: validating @0xb1ec0030: 
> www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.909 dnssec: info: validating @0xb462c430: 
> www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.914 dnssec: info: validating @0xb48b17c0: 
> www.mirrorservice.org A: bad cache hit 
> (www.mirrorservice.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb4858cb0: 
> www.mirrorservice.org AAAA: bad cache hit 
> (www.mirrorservice.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb48b17c0: 
> www.national-lottery.co.uk AAAA: bad cache hit 
> (www.national-lottery.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.916 dnssec: info: validating @0xb48b17c0: 
> www.national-lottery.co.uk A: bad cache hit 
> (www.national-lottery.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb1ec0030: 
> www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb48b17c0: 
> www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb48b17c0: 
> www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb4858cb0: 
> www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb48b17c0: 
> www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb4858cb0: 
> www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb1ec0030: 
> www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb462c430: 
> www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.950 dnssec: info: validating @0xb48b17c0: 
> www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.951 dnssec: info: validating @0xb4858cb0: 
> www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb48b17c0: 
> www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb4858cb0: 
> www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:11.021 dnssec: info: validating @0xb1ec0030: 
> uk.yahoo.com AAAA: bad cache hit (uk.yahoo.com.dlv.isc.org/DLV)
> 
> Followed by;
> 
> 25-Mar-2020 16:26:25.828 dnssec: info:???????? validating @0xb48fdcd0: 
> dlv.isc.org NSEC: verify failed due to bad signature (keyid=64263): 
> RRSIG has expired
> 25-Mar-2020 16:26:25.828 dnssec: info:???????? validating @0xb48fdcd0: 
> dlv.isc.org NSEC: no valid signature found
> 
> 25-Mar-2020 16:29:05.075 dnssec: info: validating @0xb473dc48: 
> dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=19297): 
> RRSIG has expired
> 25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48: 
> dlv.isc.org DNSKEY: unable to find a DNSKEY which verifies the DNSKEY 
> RRset and also matches a trusted key for 'dlv.isc.org'
> 25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48: 
> dlv.isc.org DNSKEY: please check the 'trusted-keys' for
'dlv.isc.org' in
> named.conf.
> 
> No issues with our CentOS 7.7.1908 bind DNS servers.
> 
> To fix I had to set the following in /etc/named.conf and restart the 
> named service.
> 
>  ???????????????????????????? dnssec-enable no;
>  ???????????????????????????? dnssec-validation no;
> 
> Anyone else had this issue?
> Is there and updated key that is needed in CentOS 6.10 version of bind 
> so that I can turn dnssec back on.
> 
> regards Tim
> 
> Tim D'Cruz
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 
>                                                    
-- 
Robert Heller             -- 978-544-6933 Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller at deepsoft.com       -- Webhosting Services

Chris Adams

2020-Mar-25 17:46 UTC

head link

[CentOS] CentOS 6.10 bind DNSSEC issues

Once upon a time, Robert Heller <heller at deepsoft.com>
said:> Yes.  The installed ISC DLV key installed with 
> bind-9.8.2-0.68.rc1.el6_10.3.x86_64 seems to have expired and there does
not
> appear to be a new bind-9.8.2 RPM with a new key.  I guess you can
*manually*
> fetch a new key (look in the installed /etc/named.iscdlv.key file)
ISC DLV has been obsolete for a while now, you should disable it.
>         dnssec-lookaside auto;
I think setting this to "no" and restarting named should do it.
-- 
Chris Adams <linux at cmadams.net>

Reasonably Related Threads

Search for more possibly parallel threads

CentOS - Mar 2020 - CentOS 6.10 bind DNSSEC issues

[CentOS] CentOS 6.10 bind DNSSEC issues

[CentOS] CentOS 6.10 bind DNSSEC issues

[CentOS] CentOS 6.10 bind DNSSEC issues

Reasonably Related Threads