Bind9 version 9.17.12 not starting without different DNS server

Dominik dominiks.mail at
Mon May 17 07:13:59 UTC 2021


yesterday I tried version 9.17.12 because of the new TLS features.
My resolv.conf only contains the local resolver and ::1.

The problem is that the new Bind9 doesn't start without having an
alternative resolver in resolv.conf. It looks like something in the
Bind9 startup process relies on DNS before itself is serving queries.

The last message in the logfile is:

named[14264]: managed-keys-zone: Failed to create fetch for DNSKEY update

After that the Bind9 process is running but doesn't answer queries.

Thanks for any help.



The named.conf looks like this:
tls mytls {
    cert-file "/etc/ssl/example.crt";
    key-file "/etc/ssl/example.key";

options {
    directory "/usr/local/bind9/var/cache";
    querylog no;
    auth-nxdomain no;
    dnssec-validation auto;
    minimal-responses no-auth-recursive;
    listen-on port 53 { any; };
    listen-on-v6 { ::1; };
    listen-on port 853 tls mytls { any; };
    allow-transfer { none; };
    allow-recursion {; ::1; };
    recursion yes;

logging {
    category lame-servers { null; };

// prime the server with knowledge of the root servers
zone "." {
    type hint;
    file "/usr/local/bind9/etc/db.root";

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
    type master;
    file "/usr/local/bind9/etc/db.local";

zone "" {
    type master;
    file "/usr/local/bind9/etc/db.127";

zone "" {
    type master;
    file "/usr/local/bind9/etc/db.0";

zone "" {
    type master;
    file "/usr/local/bind9/etc/db.255";

More information about the bind-users mailing list