I want to know why I suddenly can't resolve names.

Mark Andrews marka at isc.org
Mon Aug 19 02:12:26 UTC 2024 

I will repeat what I said before when you logged this as a bug.

Stop using look aside validation. The service has been turned off for 7
years now.  The only thing there is a empty zone that is returning NXDOMAIN
for every lookup other than the apex which only has SOA, NS, NSEC and RRSIG
records.  There are no DLV records there to lookup.

https://kb.isc.org/docs/disable-dnssec-lookaside-dlv-now-heres-how

Also I am not going to ask operations what happened 2 weeks ago to cause
the signature to be momentarily bad.

Mark

> On 19 Aug 2024, at 10:51, 秋林峻祐 <jst125 at d2c.co.jp> wrote:
> 
> This will be my first email. Sorry for any rough edges.
> ISSUE:: I am using a DNS server in Japan. The DNS server failed to resolve the domain name on August 2, 2024. It automatically recovered after a while. The following message was recorded in the logs
> I want to know why I suddenly can't resolve names.
> logs::
> log1: validating @0xXXXXXXXXXXXXXXXX: dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=xxxxxxx): RRSIG has expired
> log2: validating @0xXXXXXXXXXXXXXXXX: domain.example.com A: bad cache hit (domain.example.com.dlv.isc.org/DLV)
> timestamp:: Failure date: 2024.08.02 00:39:30 (JST) Failure recovery date: 2024.08.02 05:06:06 (JST)
> env:: CentOS release 6.4 (Final) BIND version: bind-9.8.2-0.68.rc1.el6_10.8.x86_64 Execution user: /group:root / named
> Considerations:: There were no other physical or internal OS failures. From the fact that the recovery was automatic, I am guessing that there was a failure or maintenance in the dlv repository for verification. If you have any other information related to the cause of the problem, we would appreciate it if you could share it with us.
> Discussion::
> I know that “Look aside validation” has already been discontinued, but I have a question to isolate the cause.
> I would like to know why “Look aside validation” has already been discontinued, yet the system usually operates without problems.
> There were no other physical or internal OS failures.
> The system recovered automatically.
> I am guessing that it was caused by the dlv repository for validation.
> If anyone has any other information relate
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list