Hi All,
Just upgraded from FC33 to FC34.
FC34 broke my bind. Here are "some" of the repeating errors:
# named-checkzone -t /var/named/chroot/var/named/slaves xyz xyz.hosts
xyz.hosts:3: ignoring out-of-zone data (xyz.local) xyz.hosts:15: ignoring out-of-zone data (DeadStick.xyz.local)
1 $ORIGIN . 2 $TTL 86400 ; 1 day 3 xyz.local IN SOA xyz.local. root@rn6.xyz.local. ( 4 265 ; serial 5 10800 ; refresh (3 hours) 6 3600 ; retry (1 hour) 7 3600000 ; expire (5 weeks 6 days 16 hours) 8 86400 ; minimum (1 day) 9 ) 10 NS xyz.local. 11 A 192.168.255.10 12 MX 10 xyz.local. 13 $ORIGIN xyz.local. 14 $TTL 3600 ; 1 hour 15 DeadStick A 192.168.255.156 16 TXT "310702541c5622d0e6001136bd71a6578b"
Please note this all worked perfectly under FC33
Many thanks, -T
Hi,
ToddAndMargo via users wrote:
Hi All,
Just upgraded from FC33 to FC34.
FC34 broke my bind. Here are "some" of the repeating errors:
Bind was updated from 9.11 to 9.16 in Fedora 34:
https://fedoraproject.org/wiki/Changes/BIND9.16
You'll need to review the upstream documentation and adjust your configuration as needed.
On Sat, 12 Jun 2021 16:39:45 -0700 ToddAndMargo via users wrote:
Please note this all worked perfectly under FC33
Named completely ceased working for me under f34 as well (I just run a server for my local LAN). Apparently some setting in the new config files screwed something up.
Rather than trying to add my settings to the installed configs, I just copied the f33 config files directly from f33, and named started working again.
I never bothered to compare them and find out what broke things, though I suspect it has something to do with secure name lookups.
On 6/12/21 5:26 PM, Tom Horsley wrote:
On Sat, 12 Jun 2021 16:39:45 -0700 ToddAndMargo via users wrote:
Please note this all worked perfectly under FC33
Named completely ceased working for me under f34 as well (I just run a server for my local LAN). Apparently some setting in the new config files screwed something up.
Rather than trying to add my settings to the installed configs, I just copied the f33 config files directly from f33, and named started working again.
I never bothered to compare them and find out what broke things, though I suspect it has something to do with secure name lookups.
As far as I can tell, my configs are verbatim of FC33.
:'(
On 6/12/21 5:13 PM, Todd Zullinger wrote:
Hi,
ToddAndMargo via users wrote:
Hi All,
Just upgraded from FC33 to FC34.
FC34 broke my bind. Here are "some" of the repeating errors:
Bind was updated from 9.11 to 9.16 in Fedora 34:
https://fedoraproject.org/wiki/Changes/BIND9.16You'll need to review the upstream documentation and adjust your configuration as needed.
Well that explains it.
The link is not real helpful. I am not seeing anything different from what I was doing. Maybe I am missing something.
On 6/12/21 4:39 PM, ToddAndMargo via users wrote:
Hi All,
Just upgraded from FC33 to FC34.
# rpm -aq bind* bind-export-libs-9.11.11-1.fc30.x86_64 bind-license-9.16.16-1.fc34.noarch bind-dnssec-doc-9.16.16-1.fc34.noarch bind-libs-9.16.16-1.fc34.x86_64 bind-utils-9.16.16-1.fc34.x86_64 bind-dnssec-utils-9.16.16-1.fc34.x86_64 bind-9.16.16-1.fc34.x86_64 bind-chroot-9.16.16-1.fc34.x86_64
# named-checkzone -t /var/named/chroot/var/named/slaves 255.168.192.in-addr.arpa abc.hosts.rev zone 255.168.192.in-addr.arpa/IN: loaded serial 213 OK
# named-checkzone -t /var/named/chroot/var/named/slaves abc.local abc.hosts zone abc.local/IN: loaded serial 265 OK
and
# named-checkconf -l -t /var/named/chroot /etc/named.conf abc.local IN _default master 255.168.192.in-addr.arpa IN _default master 0.0.127.in-addr.arpa IN _default master
So why am I getting "file not found" in the following?
# systemctl status named.service
× named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Sat 2021-06-12 16:31:16 PDT; 3h 46min ago Process: 18368 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is > CPU: 12ms
Jun 12 16:31:16 rn6.abc.local bash[18369]: _default/abc.local/IN: file not found Jun 12 16:31:16 rn6.abc.local bash[18369]: zone 255.168.192.in-addr.arpa/IN: loading from master file slaves/abc.hosts.rev failed: file not found Jun 12 16:31:16 rn6.abc.local bash[18369]: zone 255.168.192.in-addr.arpa/IN: not loaded due to errors. Jun 12 16:31:16 rn6.abc.local bash[18369]: _default/255.168.192.in-addr.arpa/IN: file not found Jun 12 16:31:16 rn6.abc.local bash[18369]: zone 0.0.127.in-addr.arpa/IN: loading from master file named.local failed: file not found Jun 12 16:31:16 rn6.abc.local bash[18369]: zone 0.0.127.in-addr.arpa/IN: not loaded due to errors. Jun 12 16:31:16 rn6.abc.local bash[18369]: _default/0.0.127.in-addr.arpa/IN: file not found Jun 12 16:31:16 rn6.abc.local systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE Jun 12 16:31:16 rn6.abc.local systemd[1]: named.service: Failed with result 'exit-code'. Jun 12 16:31:16 rn6.abc.local systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
My /etc/named.local
// generated by named-bootconf.pl
options { # the following forwarders is Family freindly Open DNS: # forwarders { 208.67.222.122; 208.67.220.120; };
# the following forwarders is for Open DNS forwarders { 208.67.222.222; 208.67.220.220; };
# the following forwarders is for Google's DNS #forwarders { 8.8.8.8; 8.8.4.4; };
directory "/var/named"; # pid-file "/var/named/chroot/run/named/named.pid"; # pid-file "/var/named/chroot/run/named/nonamed.pid"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; };
key DHCP_UPDATER { algorithm hmac-md5; secret cgGq509uDODGTU4J9QZwgQ==; };
zone "abc.local" { type master; # file "/var/named/chroot/var/named/slaves/abc.hosts"; file "slaves/abc.hosts"; allow-update { key DHCP_UPDATER; }; # allow-update { 127.0.0.1; }; };
zone "255.168.192.in-addr.arpa" { type master; # file "/var/named/chroot/var/named/slaves/abc.hosts.rev"; file "slaves/abc.hosts.rev"; allow-update { key DHCP_UPDATER; }; # allow-update { 127.0.0.1; }; };
zone "0.0.127.in-addr.arpa" { type master; # file "/var/named/chroot/var/named/named.local"; file "named.local"; };
# logging { # channel update_debug { # file "/var/named/chroot/var/named/slaves/named-update-debug.log"; # severity debug 3; # print-category yes; # print-severity yes; # print-time yes; # }; # channel security_info { # file "slaves/named-auth.info"; # severity info; # print-category yes; # print-severity yes; # print-time yes; # };
# category update { update_debug; }; # category security { security_info; }; # };
On Sat, 2021-06-12 at 22:50 -0700, ToddAndMargo via users wrote:
So why am I getting "file not found" in the following?
If your files are at the expected paths, check SELinux. It's a common cause of unexpected and unexplained "file not found" errors.
Oh poop! Figured it out!
# systemctl status named-chroot.service ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2021-06-12 14:49:05 PDT; 8h ago Process: 11410 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checki> Process: 11446 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 11452 (named) Tasks: 14 (limit: 19025) Memory: 141.5M CPU: 14.612s CGroup: /system.slice/named-chroot.service └─11452 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
I was starting the wrong named !!!!!!!
# systemctl disable daemon_name.service Fixed the problem
Freaking FC34 upgrade disabled named-chroot on me!
Sorry for putting your guys through all this. Thank you all for the tips!
-T
On 6/12/21 11:09 PM, Tim via users wrote:
On Sat, 2021-06-12 at 22:50 -0700, ToddAndMargo via users wrote:
So why am I getting "file not found" in the following?
If your files are at the expected paths, check SELinux. It's a common cause of unexpected and unexplained "file not found" errors.
Tried that. I was starting the wrong named. See the post I just made before this one.
Thanks anyway.
-T
On 6/12/21 11:39 PM, ToddAndMargo via users wrote:
Oh poop! Figured it out!
# systemctl status named-chroot.service ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2021-06-12 14:49:05 PDT; 8h ago Process: 11410 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checki> Process: 11446 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 11452 (named) Tasks: 14 (limit: 19025) Memory: 141.5M CPU: 14.612s CGroup: /system.slice/named-chroot.service └─11452 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
I was starting the wrong named !!!!!!!
# systemctl disable daemon_name.service Fixed the problem
Freaking FC34 upgrade disabled named-chroot on me!
Sorry for putting your guys through all this. Thank you all for the tips!
-T
Okay, now I am REALLY confused!!!
# host 8.8.8.8 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases:
Host 8.8.8.8.in-addr.arpa not found: 2(SERVFAIL)
This is my /etc/resolv.conf (same as in FC33):
# cat /etc/resolv.conf
# Generated by NetworkManager search abc.local nameserver 127.0.0.1 # nameserver 8.8.8.8
Now what ?!?!?!
On 13/06/2021 16:29, ToddAndMargo via users wrote:
On 6/12/21 11:39 PM, ToddAndMargo via users wrote:
Oh poop! Figured it out!
# systemctl status named-chroot.service ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2021-06-12 14:49:05 PDT; 8h ago Process: 11410 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checki> Process: 11446 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 11452 (named) Tasks: 14 (limit: 19025) Memory: 141.5M CPU: 14.612s CGroup: /system.slice/named-chroot.service └─11452 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
I was starting the wrong named !!!!!!!
# systemctl disable daemon_name.service Fixed the problem
Freaking FC34 upgrade disabled named-chroot on me!
Sorry for putting your guys through all this. Thank you all for the tips!
-T
Okay, now I am REALLY confused!!!
# host 8.8.8.8 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases:
Host 8.8.8.8.in-addr.arpa not found: 2(SERVFAIL)
This is my /etc/resolv.conf (same as in FC33):
# cat /etc/resolv.conf
# Generated by NetworkManager search abc.local nameserver 127.0.0.1 # nameserver 8.8.8.8
Now what ?!?!?!
try
dig @localhost -x 8.8.8.8
On 6/13/21 1:29 AM, ToddAndMargo via users wrote:
On 6/12/21 11:39 PM, ToddAndMargo via users wrote:
Oh poop! Figured it out!
# systemctl status named-chroot.service ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2021-06-12 14:49:05 PDT; 8h ago Process: 11410 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checki> Process: 11446 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 11452 (named) Tasks: 14 (limit: 19025) Memory: 141.5M CPU: 14.612s CGroup: /system.slice/named-chroot.service └─11452 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
I was starting the wrong named !!!!!!!
# systemctl disable daemon_name.service Fixed the problem
Freaking FC34 upgrade disabled named-chroot on me!
Sorry for putting your guys through all this. Thank you all for the tips!
-T
Okay, now I am REALLY confused!!!
# host 8.8.8.8 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases:
Host 8.8.8.8.in-addr.arpa not found: 2(SERVFAIL)
This is my /etc/resolv.conf (same as in FC33):
# cat /etc/resolv.conf
# Generated by NetworkManager search abc.local nameserver 127.0.0.1 # nameserver 8.8.8.8
Now what ?!?!?!
A workaround i at the bottom
# host google.com 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases:
Host google.com not found: 2(SERVFAIL) [root@rn6 etc]# systemctl status named-chroot.service ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2021-06-13 01:39:12 PDT; 1min 12s ago Process: 32167 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checki> Process: 32170 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 32171 (named) Tasks: 14 (limit: 19025) Memory: 97.2M CPU: 180ms CGroup: /system.slice/named-chroot.service └─32171 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:503:c27::2:30#53 Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:500:1::53#53 Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:500:2::c#53 Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:500:200::b#53 Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:500:12::d0d#53 Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:500:9f::42#53 Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:7fd::1#53 Jun 13 01:40:05 rn6.abc.local named[32171]: validating com/DS: no valid signature found Jun 13 01:40:05 rn6.abc.local named[32171]: no valid RRSIG resolving 'com/DS/IN': 192.36.148.17#53 Jun 13 01:40:05 rn6.abc.local named[32171]: broken trust chain resolving 'google.com/A/IN': 208.67.220.220#53
Found in /var/log/messages:
Jun 13 01:43:12 rn6 named[32171]: validating google.com/A: bad cache hit (com/DS) Jun 13 01:43:12 rn6 named[32171]: broken trust chain resolving 'google.com/A/IN': 208.67.220.220#53
I added this to named.conf, options block: dnssec-validation no;
and it fixed it.
How do I fix it without dnssec-validation no; ?
-T
# host google.com 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases:
google.com has address 172.217.6.78 google.com has IPv6 address 2607:f8b0:4005:80a::200e google.com mail is handled by 10 aspmx.l.google.com. google.com mail is handled by 50 alt4.aspmx.l.google.com. google.com mail is handled by 40 alt3.aspmx.l.google.com. google.com mail is handled by 20 alt1.aspmx.l.google.com. google.com mail is handled by 30 alt2.aspmx.l.google.com.
dnssec-validation yes; should work, ensure include "/etc/named.root.key"; is in named.conf too. dnssec-validation auto; would work even without it.
It requires your forwarders to supply DNSSEC records. Check with: dig @$IP +dnssec com ds
Or with validation: delv @$IP com ds
Replace $IP with any IP you want to check, be it localhost, or OpenDNS servers. Should be recursive.
It has to include RRSIG also. All serious resolvers always include DNSSEC records.
You can use "rndc flushtree com" to flush that name from the cache. It should work after another query. If it happens again try changing forwarder servers to different set.
Cheers, Petr
On Sun, Jun 13, 2021 at 10:52 AM ToddAndMargo via users < users@lists.fedoraproject.org> wrote:
On 6/13/21 1:29 AM, ToddAndMargo via users wrote:
On 6/12/21 11:39 PM, ToddAndMargo via users wrote:
Oh poop! Figured it out!
# systemctl status named-chroot.service ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2021-06-12 14:49:05 PDT; 8h ago Process: 11410 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checki> Process: 11446 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 11452 (named) Tasks: 14 (limit: 19025) Memory: 141.5M CPU: 14.612s CGroup: /system.slice/named-chroot.service └─11452 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
I was starting the wrong named !!!!!!!
# systemctl disable daemon_name.service Fixed the problem
Freaking FC34 upgrade disabled named-chroot on me!
Sorry for putting your guys through all this. Thank you all for the tips!
-T
Okay, now I am REALLY confused!!!
# host 8.8.8.8 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases:
Host 8.8.8.8.in-addr.arpa not found: 2(SERVFAIL)
This is my /etc/resolv.conf (same as in FC33):
# cat /etc/resolv.conf
# Generated by NetworkManager search abc.local nameserver 127.0.0.1 # nameserver 8.8.8.8
Now what ?!?!?!
A workaround i at the bottom
# host google.com 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases:
Host google.com not found: 2(SERVFAIL) [root@rn6 etc]# systemctl status named-chroot.service ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2021-06-13 01:39:12 PDT; 1min 12s ago Process: 32167 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checki> Process: 32170 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 32171 (named) Tasks: 14 (limit: 19025) Memory: 97.2M CPU: 180ms CGroup: /system.slice/named-chroot.service └─32171 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:503:c27::2:30#53 Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:500:1::53#53 Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:500:2::c#53 Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:500:200::b#53 Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:500:12::d0d#53 Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:500:9f::42#53 Jun 13 01:40:05 rn6.abc.local named[32171]: network unreachable resolving 'com/DS/IN': 2001:7fd::1#53 Jun 13 01:40:05 rn6.abc.local named[32171]: validating com/DS: no valid signature found Jun 13 01:40:05 rn6.abc.local named[32171]: no valid RRSIG resolving 'com/DS/IN': 192.36.148.17#53 Jun 13 01:40:05 rn6.abc.local named[32171]: broken trust chain resolving 'google.com/A/IN': 208.67.220.220#53
Found in /var/log/messages:
Jun 13 01:43:12 rn6 named[32171]: validating google.com/A: bad cache hit (com/DS) Jun 13 01:43:12 rn6 named[32171]: broken trust chain resolving 'google.com/A/IN': 208.67.220.220#53
I added this to named.conf, options block: dnssec-validation no;
and it fixed it.
How do I fix it without dnssec-validation no; ?
-T
# host google.com 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases:
google.com has address 172.217.6.78 google.com has IPv6 address 2607:f8b0:4005:80a::200e google.com mail is handled by 10 aspmx.l.google.com. google.com mail is handled by 50 alt4.aspmx.l.google.com. google.com mail is handled by 40 alt3.aspmx.l.google.com. google.com mail is handled by 20 alt1.aspmx.l.google.com. google.com mail is handled by 30 alt2.aspmx.l.google.com.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
# host google.com <http://google.com> 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: Host google.com <http://google.com> not found: 2(SERVFAIL) [root@rn6 etc]# systemctl status named-chroot.service ● named-chroot.service - Berkeley Internet Name Domain (DNS) ... Jun 13 01:40:05 rn6.abc.local named[32171]: broken trust chain resolving 'google.com/A/IN <http://google.com/A/IN>': 208.67.220.220#53 Found in /var/log/messages: Jun 13 01:43:12 rn6 named[32171]: validating google.com/A <http://google.com/A>: bad cache hit (com/DS) Jun 13 01:43:12 rn6 named[32171]: broken trust chain resolving 'google.com/A/IN <http://google.com/A/IN>': 208.67.220.220#53 I added this to named.conf, options block: dnssec-validation no; and it fixed it. How do I fix it without dnssec-validation no; ? -T
On 6/14/21 7:36 AM, Petr Mensik wrote:
dnssec-validation yes; should work, ensure include "/etc/named.root.key"; is in named.conf too. dnssec-validation auto; would work even without it.
It requires your forwarders to supply DNSSEC records. Check with: dig @$IP +dnssec com ds
Or with validation: delv @$IP com ds
Replace $IP with any IP you want to check, be it localhost, or OpenDNS servers. Should be recursive.
It has to include RRSIG also. All serious resolvers always include DNSSEC records.
You can use "rndc flushtree com" to flush that name from the cache. It should work after another query. If it happens again try changing forwarder servers to different set.
Cheers, Petr
Hi Petr,
That fixed it. I was missing the named.root.key.
Thank you!
-T
Open DNS's family friendly DNS server
$ delv @208.67.222.123 com ds ; fully validated
-
Ed Greshko -
Petr Mensik -
Tim -
Todd Zullinger -
ToddAndMargo -
Tom Horsley