3 new servers couldn't download the key for '.' and there really wasn't any indication

Thu Oct 31 12:15:06 UTC 2024

The three servers were replaced in the same exact way they were already running including the same configuration file and all of the IP filtering, etc is the same as they are the same IP addresses.

I did notice that for whatever reason Bind on EL9 seems to require this:

include "/etc/crypto-policies/back-ends/bind.config";

and it didn't previously.

Is there a way to kick off a test download of that key? I tried this: rndc managed-keys refresh it didn't actually seem to do anything.

Is there a way to figure out which of the things it was trying to use to get the keys before? UDP53 TCP53 ICMP [v4|v6}?

I just expected the service not to start if its missing the DNSSEC keys.

Thanks,
-Drew

-----Original Message-----
From: Mark Andrews <marka at isc.org> 
Sent: Wednesday, October 30, 2024 4:46 PM
To: Drew Weaver <drew.weaver at thenap.com>
Cc: bind-users at lists.isc.org
Subject: Re: 3 new servers couldn't download the key for '.' and there really wasn't any indication

So you didn’t the log message produced by this?

                dnssec_log(zone, ISC_LOG_WARNING,
                           "Unable to fetch DNSKEY set '%s': %s", namebuf,
                           isc_result_totext(eresult));

And if the forwarder is stripping RRSIGs.  Forwarders need to support DNSSEC.

                dnssec_log(zone, ISC_LOG_WARNING,
                           "No DNSKEY RRSIGs found for '%s': %s", namebuf,
                           isc_result_totext(eresult));

Things will likely fail if you link to the world is broken or is not allowing DNS over both UDP and TCP or is filtering fragments (check both IPv4 and IPv6) or is blocking ICMP or ICMPv6.

Mark	

> On 31 Oct 2024, at 00:36, Drew Weaver <drew.weaver at thenap.com> wrote:
> 
> Hello,
>  We recently replaced 3 BIND 9 servers with newer ones.
>  For whatever reason during the initial setup process the 3 servers all failed to download the dnssec key for ‘.’ And there was no indication whatsoever that this failed.
>  I would propose that if the server is configured as a caching nameserver that if it cannot download the key the service shouldn’t start at all or there should be some very forceful indication that it didn’t work.
>  Also does anyone know under what conditions that process fails?
>  I’d like to avoid this in the future.
>  Thanks,
> -Drew
>  --
> Visit 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mai
> lman_listinfo_bind-2Dusers&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_
> CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=HvpqIUyEt0
> dxiHnUKy40KC9yDr45iIe_djSwVGaLn930M0FEJ9al_tZS-XCsihQr&s=axTYukN0qenc_
> PnoXUGK3XyjuXbJtR0KaXRcxPuh41o&e= to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://urldefense.proofpoint.com/v2/url?u=https-3A__www.isc.org_contact_&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=HvpqIUyEt0dxiHnUKy40KC9yDr45iIe_djSwVGaLn930M0FEJ9al_tZS-XCsihQr&s=dwSWLdRRtNjY9Wnq7jlJOkJK3fHnE3outBg88sZTew4&e= for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mai
> lman_listinfo_bind-2Dusers&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_
> CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=HvpqIUyEt0
> dxiHnUKy40KC9yDr45iIe_djSwVGaLn930M0FEJ9al_tZS-XCsihQr&s=axTYukN0qenc_
> PnoXUGK3XyjuXbJtR0KaXRcxPuh41o&e=

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org