[CentOS] bind problems

Helmut Drodofsky

drodofsky at internet-xs.de
Fri Dec 27 22:54:55 UTC 2019


I made yum update to bind on 21.12.2019. Yum.log:

Dec 21 23:14:41 Updated: 32:bind-license-9.11.4-9.P2.el7.noarch
Dec 21 23:16:43 Installed: 32:bind-export-libs-9.11.4-9.P2.el7.x86_64
Dec 21 23:16:49 Updated: 32:bind-libs-lite-9.11.4-9.P2.el7.x86_64
Dec 21 23:16:50 Updated: 32:bind-libs-9.11.4-9.P2.el7.x86_64
Dec 21 23:18:02 Updated: rpcbind-0.2.0-48.el7.x86_64
Dec 21 23:23:21 Updated: 32:bind-9.11.4-9.P2.el7.x86_64
Dec 21 23:24:44 Updated: 32:bind-utils-9.11.4-9.P2.el7.x86_64

up to this date, bind has gone 4 month with the last update to bind
9.9.4 without any problem.

Since the bold line in named.log

27-Dec-2019 23:20:21.200 general: info: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 0
27-Dec-2019 23:20:21.201 general: info: zone localhost/IN: loaded serial 0
27-Dec-2019 23:20:21.201 general: notice: all zones loaded
27-Dec-2019 23:20:21.201 general: notice: running
27-Dec-2019 23:20:21.223 notify: info: zone dyn.internet-xs.net/IN:
sending notifies (serial 2018012040)
27-Dec-2019 23:20:21.226 notify: info: zone panama.int/IN: sending
notifies (serial 2016121200)
27-Dec-2019 23:20:21.227 notify: info: zone ixsdns.de/IN: sending
notifies (serial 2018010102)
*27-Dec-2019 23:20:28.434 dnssec: info: validating ./NS: got insecure
response; parent indicates it should be secure*
27-Dec-2019 23:20:28.444 general: warning: managed-keys-zone: No DNSKEY
RRSIGs found for '.': success
27-Dec-2019 23:20:29.219 dnssec: info: validating ./NS: no valid
signature found
27-Dec-2019 23:20:29.714 dnssec: info:   validating ./SOA: got insecure
response; parent indicates it should be secure
27-Dec-2019 23:20:29.957 dnssec: info: validating ./NS: no valid
signature found

named needs some 1 hour to be really active. The named.log shows:

.....
7-Dec-2019 23:36:28.268 dnssec: info: validating it/DS: no valid
signature found
27-Dec-2019 23:36:28.270 dnssec: info: validating net/DS: no valid
signature found
27-Dec-2019 23:36:28.271 dnssec: info: validating info/DS: no valid
signature found
27-Dec-2019 23:36:28.281 dnssec: info: validating net/DS: no valid
signature found
27-Dec-2019 23:36:28.295 dnssec: info: validating net/DS: no valid
signature found
27-Dec-2019 23:36:28.296 dnssec: info: validating it/DS: no valid
signature found
27-Dec-2019 23:36:28.323 dnssec: info: validating net/DS: no valid
signature found
27-Dec-2019 23:36:28.440 dnssec: info: validating it/DS: no valid
signature found
27-Dec-2019 23:36:28.473 dnssec: info: validating net/DS: no valid
signature found
27-Dec-2019 23:36:28.597 dnssec: info: validating it/DS: no valid
signature found
27-Dec-2019 23:36:28.634 dnssec: info: validating net/DS: no valid
signature found
27-Dec-2019 23:36:29.303 dnssec: info: validating org/DS: no valid
signature found
27-Dec-2019 23:36:29.308 dnssec: info: validating org/DS: no valid
signature found
27-Dec-2019 23:36:29.313 dnssec: info: validating org/DS: no valid
signature found
27-Dec-2019 23:36:29.318 dnssec: info: validating org/DS: no valid
signature found
27-Dec-2019 23:36:29.323 dnssec: info: validating org/DS: no valid
signature found
27-Dec-2019 23:36:29.328 dnssec: info: validating org/DS: no valid
signature found
27-Dec-2019 23:36:29.335 dnssec: info: validating org/DS: no valid
signature found
27-Dec-2019 23:36:29.345 dnssec: info: validating org/DS: no valid
signature found
27-Dec-2019 23:36:29.360 dnssec: info: validating org/DS: no valid
signature found
27-Dec-2019 23:36:29.387 dnssec: info: validating org/DS: no valid
signature found
....
and really many lines as above.

This validating happens even when
dnssec-enable no;
and dnssec-validation and dnssec-lookaside are commented out

any idea?

-- 
best regards

Helmut Drodofsky




More information about the CentOS mailing list