[CentOS] CentOS 6.10 bind DNSSEC issues

Wed Mar 25 17:03:23 UTC 2020
Support <support at wearehere.net>

Hi,

     Anyone else had any issues with CentOS 6.10 bind DNS server issues 
this afternoon.

At 16:26 (GMT) had alerts for DNS failures against our CentOS 6.10 bind 
DNS servers
from our monitoring system.

Sure enough DNS requests via the server was failing, checking the 
named.log showed
dnssec issues;

25-Mar-2020 16:26:10.285 dnssec: info: validating @0xb48b17c0: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.337 dnssec: info: validating @0xb4858cb0: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb48b17c0: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb4858cb0: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.359 dnssec: info: validating @0xb1ec0030: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.360 dnssec: info: validating @0xb462c430: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb48b17c0: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb4858cb0: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.451 dnssec: info: validating @0xb1ec0030: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.452 dnssec: info: validating @0xb462c430: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb1ec0030: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb462c430: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb1ec0030: 
push.services.mozilla.com AAAA: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb462c430: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.898 dnssec: info: validating @0xb48b17c0: 
www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.899 dnssec: info: validating @0xb4858cb0: 
www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb1ec0030: 
www.national-lottery.co.uk A: bad cache hit 
(www.national-lottery.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb48b17c0: 
www.mirrorservice.org A: bad cache hit 
(www.mirrorservice.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb462c430: 
www.national-lottery.co.uk AAAA: bad cache hit 
(www.national-lottery.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.903 dnssec: info: validating @0xb48b17c0: 
www.mirrorservice.org AAAA: bad cache hit 
(www.mirrorservice.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.908 dnssec: info: validating @0xb1ec0030: 
www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.909 dnssec: info: validating @0xb462c430: 
www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.914 dnssec: info: validating @0xb48b17c0: 
www.mirrorservice.org A: bad cache hit 
(www.mirrorservice.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb4858cb0: 
www.mirrorservice.org AAAA: bad cache hit 
(www.mirrorservice.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb48b17c0: 
www.national-lottery.co.uk AAAA: bad cache hit 
(www.national-lottery.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.916 dnssec: info: validating @0xb48b17c0: 
www.national-lottery.co.uk A: bad cache hit 
(www.national-lottery.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb1ec0030: 
www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb48b17c0: 
www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb48b17c0: 
www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb4858cb0: 
www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb48b17c0: 
www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb4858cb0: 
www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb1ec0030: 
www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb462c430: 
www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.950 dnssec: info: validating @0xb48b17c0: 
www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.951 dnssec: info: validating @0xb4858cb0: 
www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb48b17c0: 
www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb4858cb0: 
www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:11.021 dnssec: info: validating @0xb1ec0030: 
uk.yahoo.com AAAA: bad cache hit (uk.yahoo.com.dlv.isc.org/DLV)

Followed by;

25-Mar-2020 16:26:25.828 dnssec: info:   validating @0xb48fdcd0: 
dlv.isc.org NSEC: verify failed due to bad signature (keyid=64263): 
RRSIG has expired
25-Mar-2020 16:26:25.828 dnssec: info:   validating @0xb48fdcd0: 
dlv.isc.org NSEC: no valid signature found

25-Mar-2020 16:29:05.075 dnssec: info: validating @0xb473dc48: 
dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=19297): 
RRSIG has expired
25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48: 
dlv.isc.org DNSKEY: unable to find a DNSKEY which verifies the DNSKEY 
RRset and also matches a trusted key for 'dlv.isc.org'
25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48: 
dlv.isc.org DNSKEY: please check the 'trusted-keys' for 'dlv.isc.org' in 
named.conf.

No issues with our CentOS 7.7.1908 bind DNS servers.

To fix I had to set the following in /etc/named.conf and restart the 
named service.

         dnssec-enable no;
         dnssec-validation no;

Anyone else had this issue?
Is there and updated key that is needed in CentOS 6.10 version of bind 
so that I can turn dnssec back on.

regards Tim

Tim D'Cruz