At Wed, 25 Mar 2020 17:03:23 +0000 CentOS mailing list <centos at centos.org> wrote: > > Hi, > >    Anyone else had any issues with CentOS 6.10 bind DNS server issues Yes. The installed ISC DLV key installed with bind-9.8.2-0.68.rc1.el6_10.3.x86_64 seems to have expired and there does not appear to be a new bind-9.8.2 RPM with a new key. I guess you can *manually* fetch a new key (look in the installed /etc/named.iscdlv.key file) OR You can just disable dnssec, by commenting out these lines: dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; and restarting named. > this afternoon. > > At 16:26 (GMT) had alerts for DNS failures against our CentOS 6.10 bind > DNS servers > from our monitoring system. > > Sure enough DNS requests via the server was failing, checking the > named.log showed > dnssec issues; > > 25-Mar-2020 16:26:10.285 dnssec: info: validating @0xb48b17c0: > push.services.mozilla.com A: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.337 dnssec: info: validating @0xb4858cb0: > push.services.mozilla.com AAAA: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb48b17c0: > push.services.mozilla.com AAAA: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb4858cb0: > push.services.mozilla.com A: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.359 dnssec: info: validating @0xb1ec0030: > push.services.mozilla.com A: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.360 dnssec: info: validating @0xb462c430: > push.services.mozilla.com AAAA: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb48b17c0: > push.services.mozilla.com A: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb4858cb0: > push.services.mozilla.com AAAA: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.451 dnssec: info: validating @0xb1ec0030: > push.services.mozilla.com A: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.452 dnssec: info: validating @0xb462c430: > push.services.mozilla.com AAAA: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb1ec0030: > push.services.mozilla.com A: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb462c430: > push.services.mozilla.com AAAA: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb1ec0030: > push.services.mozilla.com AAAA: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb462c430: > push.services.mozilla.com A: bad cache hit > (push.services.mozilla.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.898 dnssec: info: validating @0xb48b17c0: > www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.899 dnssec: info: validating @0xb4858cb0: > www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb1ec0030: > www.national-lottery.co.uk A: bad cache hit > (www.national-lottery.co.uk.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb48b17c0: > www.mirrorservice.org A: bad cache hit > (www.mirrorservice.org.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb462c430: > www.national-lottery.co.uk AAAA: bad cache hit > (www.national-lottery.co.uk.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.903 dnssec: info: validating @0xb48b17c0: > www.mirrorservice.org AAAA: bad cache hit > (www.mirrorservice.org.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.908 dnssec: info: validating @0xb1ec0030: > www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.909 dnssec: info: validating @0xb462c430: > www.kernel.org AAAA: bad cache hit (www.kernel.org.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.914 dnssec: info: validating @0xb48b17c0: > www.mirrorservice.org A: bad cache hit > (www.mirrorservice.org.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb4858cb0: > www.mirrorservice.org AAAA: bad cache hit > (www.mirrorservice.org.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb48b17c0: > www.national-lottery.co.uk AAAA: bad cache hit > (www.national-lottery.co.uk.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.916 dnssec: info: validating @0xb48b17c0: > www.national-lottery.co.uk A: bad cache hit > (www.national-lottery.co.uk.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb1ec0030: > www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb48b17c0: > www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb48b17c0: > www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb4858cb0: > www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb48b17c0: > www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb4858cb0: > www.boredpanda.com AAAA: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb1ec0030: > www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.938 dnssec: info: validating @0xb462c430: > www.bbc.co.uk AAAA: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.950 dnssec: info: validating @0xb48b17c0: > www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.951 dnssec: info: validating @0xb4858cb0: > www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb48b17c0: > www.fosslinux.com A: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:10.962 dnssec: info: validating @0xb4858cb0: > www.fosslinux.com AAAA: bad cache hit (www.fosslinux.com.dlv.isc.org/DLV) > 25-Mar-2020 16:26:11.021 dnssec: info: validating @0xb1ec0030: > uk.yahoo.com AAAA: bad cache hit (uk.yahoo.com.dlv.isc.org/DLV) > > Followed by; > > 25-Mar-2020 16:26:25.828 dnssec: info:  validating @0xb48fdcd0: > dlv.isc.org NSEC: verify failed due to bad signature (keyid=64263): > RRSIG has expired > 25-Mar-2020 16:26:25.828 dnssec: info:  validating @0xb48fdcd0: > dlv.isc.org NSEC: no valid signature found > > 25-Mar-2020 16:29:05.075 dnssec: info: validating @0xb473dc48: > dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=19297): > RRSIG has expired > 25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48: > dlv.isc.org DNSKEY: unable to find a DNSKEY which verifies the DNSKEY > RRset and also matches a trusted key for 'dlv.isc.org' > 25-Mar-2020 16:29:05.075 dnssec: notice: validating @0xb473dc48: > dlv.isc.org DNSKEY: please check the 'trusted-keys' for 'dlv.isc.org' in > named.conf. > > No issues with our CentOS 7.7.1908 bind DNS servers. > > To fix I had to set the following in /etc/named.conf and restart the > named service. > >        dnssec-enable no; >        dnssec-validation no; > > Anyone else had this issue? > Is there and updated key that is needed in CentOS 6.10 version of bind > so that I can turn dnssec back on. > > regards Tim > > Tim D'Cruz > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > > -- Robert Heller -- 978-544-6933 Cell: 413-658-7953 GV: 978-633-5364 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services heller at deepsoft.com -- Webhosting Services