<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body dir="auto">Hi Salma.<div dir="auto"><br></div><div dir="auto">While I haven't experienced your problem before, I do recall having 'issues' with DNSSEC when my router was acting as a caching DNS resolver.</div><div dir="auto"><br></div><div dir="auto">My suggestion is to check if you have an appliance 'helping' with DNS (e.g. between these servers and the Internet?) and if so try turning that function off to see if the problem goes away?</div><div dir="auto"><br></div><div dir="auto">Nick.</div><div><br></div><div align="left" dir="auto" style="font-size:100%;color:#000000"><div>-------- Original message --------</div><div>From: salma smaoui <salma.smaoui1@outlook.fr> </div><div>Date: 22/09/22 11:18 PM (GMT+12:00) </div><div>To: bind-users@lists.isc.org </div><div>Subject: Dnssec issues </div><div><br></div></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)" class="elementToProof">
Hello All,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)" class="elementToProof">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)" class="elementToProof">
We are facing some resolution problems on a CENTOS resolver that deploys bind 9.11.36-S1 with DNSSEC being activated.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)" class="elementToProof">
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)" class="elementToProof">
The logs in 'default.logs' shows the current errors :</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)" class="elementToProof">
<span style="font-size:11.0pt; font-family:"Courier New",serif" lang="FR-CM">X-Sep-2022 10:34:29.348 dnssec: info: validating shalltry.com/SOA: bad cache hit (shalltry.com/DS)<br>
X-Sep-2022 10:34:29.363 dnssec: info: validating osupdate2020.shalltry.com/A: bad cache hit (shalltry.com/DS)<br>
X-Sep-2022 10:34:29.411 dnssec: info: validating static.cnews.fr/NSEC: no valid signature found<br>
X-Sep-2022 10:34:29.445 dnssec: info: validating ocsp.comodoca.com.cdn.cloudflare.net/A: bad cache hit (cloudflare.net/DNSKEY)<br>
X-Sep-2022 10:34:29.447 dnssec: info: validating cdn.jsdelivr.net.cdn.cloudflare.net/A: bad cache hit (cloudflare.net/DNSKEY)<br>
X-Sep-2022 10:34:29.558 dnssec: info: validating oshola.shalltry.com/A: bad cache hit (shalltry.com/DS)<br>
X-Sep-2022 10:34:29.567 dnssec: info: validating ds.shalltry.com/A: bad cache hit (shalltry.com/DS)<br>
X-Sep-2022 10:34:29.570 dnssec: info: validating cdn.shalltry.com/A: bad cache hit (shalltry.com/DS)<br>
</span></div>
<div class="elementToProof"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">Each night we noticed the occurence of a resolution problem (mini crisis) where requestes receive 'ServFail' for random domains, the maximum
recursive clients is also reached along with the appearance of the error in the logs being highly increased. Even known domain names like apple.com and google.com receive 'ServFail' when requested. Once flushing the cache, the situation gets back to normal
and bind starts functionning correctly.</span></div>
<div class="elementToProof"><span style="font-family:Calibri, Arial, Helvetica, sans-serif;background-color:rgb(255, 255, 255);display:inline !important">In fact, by activating dnssec.log, we noticed these errors : 'no walidating signature found'.</span></div>
<div class="elementToProof"><span style="font-family:Calibri, Arial, Helvetica, sans-serif;background-color:rgb(255, 255, 255);display:inline !important">When deactivating DNSSEC, we noticed that there are no more crisis for now.</span></div>
<div class="elementToProof"><span style="font-family:Calibri, Arial, Helvetica, sans-serif;background-color:rgb(255, 255, 255);display:inline !important">Any possible explanation? Have anyone faced this problem before?</span></div>
<div class="elementToProof"><span style="font-family:Calibri, Arial, Helvetica, sans-serif;background-color:rgb(255, 255, 255);display:inline !important"><br>
</span></div>
<div class="elementToProof"><span style="font-family:Calibri, Arial, Helvetica, sans-serif;background-color:rgb(255, 255, 255);display:inline !important">Best regards.</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)" class="elementToProof">
<span style="font-size:11.0pt; font-family:"Courier New",serif" lang="FR-CM"><br style="">
</span><br>
</div>
</body></html>