My MTU is 1500 bytes, so I don't think that's the problem. But UDP can fragment via IP...
> On May 13, 2022, at 10:34 AM, Greg Choules > <gregchoules+bindus...@googlemail.com> wrote: > > Hi Philip. > Can you run packet captures? I'm running 9.18.0 (close enough?) in Docker and > just traced what happens going from "dnssec-validation no;" to > "dnssec-validation auto;" It makes a DNSKEY query for "." to one of the > roots. The response size was over 900 bytes, so depending on what UDP payload > size is advertised there might need to be some retrying over TCP. But you'll > only know whether that is happening from a pcap. > So I'd say.. check EDNS payload size, check what your firewall(s) is/are > prepared to let through, check whether DNS/TCP is allowed at all, check if > something is doing IP fragmentation (though I wouldn't expect this to come > into play with a packet ~1k). > > I hope some of that is useful. > Cheers, Greg > > On Fri, 13 May 2022 at 17:07, Philip Prindeville > <philipp_s...@redfish-solutions.com> wrote: > After rebooting my OpenWRT router with Bind 9.18.1 yesterday, I started > seeing a lot of: > > > May 12 19:24:06 OpenWrt named[11061]: validating ./NS: no valid signature > found > May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid signature > found > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving './NS/IN': > 192.203.230.10#53 > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving 'net/DS/IN': > 8.8.4.4#53 > May 12 19:24:06 OpenWrt named[11061]: validating com/DS: no valid signature > found > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving 'com/DS/IN': > 8.8.4.4#53 > May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid signature > found > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving 'net/DS/IN': > 66.232.64.10#53 > May 12 19:24:06 OpenWrt named[11061]: validating com/DS: no valid signature > found > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving 'com/DS/IN': > 66.232.64.10#53 > > > In my options, I had: > > dnssec-validation auto; > > But had to turn this off. It had been working. This is a production > firewall/router. > > What troubleshooting should I do to fix this? > > I had tried: > > rndc managed-keys refresh > rndc managed-keys sync > > But don't understand why that would have been necessary unless the root keys > got updated recently. > > Scrolling to the very top of the logs I see: > > May 12 19:24:04 OpenWrt named[11061]: managed-keys-zone: Unable to fetch > DNSKEY set '.': timed out > > Thanks, > > -Philip > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users