Hi,
Anyone else had any issues with CentOS 6.10 bind DNS server issues this afternoon.
At 16:26 (GMT) had alerts for DNS failures against our CentOS 6.10 bind DNS servers from our monitoring system.
Sure enough DNS requests via the server was failing, checking the named.log showed dnssec issues;
25-Mar-2020 16:26:10.285 dnssec: info: validating @0xb48b17c0: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.337 dnssec: info: validating @0xb4858cb0: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb48b17c0: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb4858cb0: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.359 dnssec: info: validating @0xb1ec0030: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.360 dnssec: info: validating @0xb462c430: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb48b17c0: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb4858cb0: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.451 dnssec: info: validating @0xb1ec0030: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.452 dnssec: info: validating @0xb462c430: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb1ec0030: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb462c430: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb1ec0030: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb462c430: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.898 dnssec: info: validating @0xb48b17c0: www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.899 dnssec: info: validating @0xb4858cb0: www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb1ec0030: www.national-lottery.co.uk A: bad cache hit (www.national-lottery.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb48b17c0: www.mirrorservice.org A: bad cache hit (www.mirrorservice.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb462c430: www.national-lottery.co.uk AAAA: bad cache hit (www.national-lottery.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.903 dnssec: info: validating @0xb48b17c0: www.mirrorservice.org AAAA: bad cache hit (www.mirrorservice.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.908 dnssec: info: validating @0xb1ec0030: www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.909 dnssec: info: validating @0xb462c430: www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.914 dnssec: info: validating @0xb48b17c0: www.mirrorservice.org A: bad cache hit (www.mirrorservice.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb4858cb0: www.mirrorservice.org AAAA: bad cache hit (www.mirrorservice.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb48b17c0: www.national-lottery.co.uk AAAA: bad cache hit (www.national-lottery.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.916 dnssec: info: validating @0xb48b17c0: www.national-lottery.co.uk A: bad cache hit (www.national-lottery.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb1ec0030: www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb48b17c0: www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb48b17c0: www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb4858cb0: www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb48b17c0: www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb4858cb0: www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb1ec0030: www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb462c430: www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.950 dnssec: info: validating @0xb48b17c0: www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.951 dnssec: info: validating @0xb4858cb0: www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb48b17c0: www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb4858cb0: www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:11.021 dnssec: info: validating @0xb1ec0030: uk.yahoo.com AAAA: bad cache hit (uk.yahoo.com.dlv.isc.org/DLV)
Followed by;
25-Mar-2020 16:26:25.828 dnssec: info: validating @0xb48fdcd0: dlv.isc.org NSEC: verify failed due to bad signature (keyid=64263): RRSIG has expired 25-Mar-2020 16:26:25.828 dnssec: info: validating @0xb48fdcd0: dlv.isc.org NSEC: no valid signature found
25-Mar-2020 16:29:05.075 dnssec: info: validating @0xb473dc48: dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=19297): RRSIG has expired 25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48: dlv.isc.org DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'dlv.isc.org' 25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48: dlv.isc.org DNSKEY: please check the 'trusted-keys' for 'dlv.isc.org' in named.conf.
No issues with our CentOS 7.7.1908 bind DNS servers.
To fix I had to set the following in /etc/named.conf and restart the named service.
dnssec-enable no; dnssec-validation no;
Anyone else had this issue? Is there and updated key that is needed in CentOS 6.10 version of bind so that I can turn dnssec back on.
regards Tim
Tim D'Cruz
At Wed, 25 Mar 2020 17:03:23 +0000 CentOS mailing list centos@centos.org wrote:
Hi,
   Anyone else had any issues with CentOS 6.10 bind DNS server issues
Yes. The installed ISC DLV key installed with bind-9.8.2-0.68.rc1.el6_10.3.x86_64 seems to have expired and there does not appear to be a new bind-9.8.2 RPM with a new key. I guess you can *manually* fetch a new key (look in the installed /etc/named.iscdlv.key file)
OR
You can just disable dnssec, by commenting out these lines:
dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
/* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key";
and restarting named.
this afternoon.
At 16:26 (GMT) had alerts for DNS failures against our CentOS 6.10 bind DNS servers from our monitoring system.
Sure enough DNS requests via the server was failing, checking the named.log showed dnssec issues;
25-Mar-2020 16:26:10.285 dnssec: info: validating @0xb48b17c0: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.337 dnssec: info: validating @0xb4858cb0: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb48b17c0: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb4858cb0: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.359 dnssec: info: validating @0xb1ec0030: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.360 dnssec: info: validating @0xb462c430: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb48b17c0: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb4858cb0: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.451 dnssec: info: validating @0xb1ec0030: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.452 dnssec: info: validating @0xb462c430: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb1ec0030: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb462c430: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb1ec0030: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb462c430: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.898 dnssec: info: validating @0xb48b17c0: www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.899 dnssec: info: validating @0xb4858cb0: www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb1ec0030: www.national-lottery.co.uk A: bad cache hit (www.national-lottery.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb48b17c0: www.mirrorservice.org A: bad cache hit (www.mirrorservice.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb462c430: www.national-lottery.co.uk AAAA: bad cache hit (www.national-lottery.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.903 dnssec: info: validating @0xb48b17c0: www.mirrorservice.org AAAA: bad cache hit (www.mirrorservice.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.908 dnssec: info: validating @0xb1ec0030: www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.909 dnssec: info: validating @0xb462c430: www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.914 dnssec: info: validating @0xb48b17c0: www.mirrorservice.org A: bad cache hit (www.mirrorservice.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb4858cb0: www.mirrorservice.org AAAA: bad cache hit (www.mirrorservice.org.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb48b17c0: www.national-lottery.co.uk AAAA: bad cache hit (www.national-lottery.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.916 dnssec: info: validating @0xb48b17c0: www.national-lottery.co.uk A: bad cache hit (www.national-lottery.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb1ec0030: www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb48b17c0: www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb48b17c0: www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb4858cb0: www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb48b17c0: www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb4858cb0: www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb1ec0030: www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb462c430: www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.950 dnssec: info: validating @0xb48b17c0: www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.951 dnssec: info: validating @0xb4858cb0: www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb48b17c0: www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb4858cb0: www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:11.021 dnssec: info: validating @0xb1ec0030: uk.yahoo.com AAAA: bad cache hit (uk.yahoo.com.dlv.isc.org/DLV)
Followed by;
25-Mar-2020 16:26:25.828 dnssec: info:Â Â validating @0xb48fdcd0: dlv.isc.org NSEC: verify failed due to bad signature (keyid=64263): RRSIG has expired 25-Mar-2020 16:26:25.828 dnssec: info:Â Â validating @0xb48fdcd0: dlv.isc.org NSEC: no valid signature found
25-Mar-2020 16:29:05.075 dnssec: info: validating @0xb473dc48: dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=19297): RRSIG has expired 25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48: dlv.isc.org DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'dlv.isc.org' 25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48: dlv.isc.org DNSKEY: please check the 'trusted-keys' for 'dlv.isc.org' in named.conf.
No issues with our CentOS 7.7.1908 bind DNS servers.
To fix I had to set the following in /etc/named.conf and restart the named service.
       dnssec-enable no;        dnssec-validation no;
Anyone else had this issue? Is there and updated key that is needed in CentOS 6.10 version of bind so that I can turn dnssec back on.
regards Tim
Tim D'Cruz
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Once upon a time, Robert Heller heller@deepsoft.com said:
Yes. The installed ISC DLV key installed with bind-9.8.2-0.68.rc1.el6_10.3.x86_64 seems to have expired and there does not appear to be a new bind-9.8.2 RPM with a new key. I guess you can *manually* fetch a new key (look in the installed /etc/named.iscdlv.key file)
ISC DLV has been obsolete for a while now, you should disable it.
dnssec-lookaside auto;
I think setting this to "no" and restarting named should do it.