Recently, after updating my primary DNS server, I noticed that it would not answer recursive queries, returning SERVFAIL. It answers queries about the local domain just fine.
"/var/log/messages" is filled with log entries like: Mar 25 04:27:43 david named[2699]: no valid RRSIG resolving 'steampowered.com/DS/IN': 192.55.83.30#53 Mar 25 04:27:43 david named[2699]: no valid DS resolving 'repo.steampowered.com/A/IN': 23.61.199.67#53 Mar 25 04:27:43 david named[2699]: validating repo.steampowered.com/CNAME: bad cache hit (steampowered.com/DS) Mar 25 04:27:43 david named[2699]: broken trust chain resolving 'repo.steampowered.com/A/IN': 184.85.248.67#53 I commented out the "dnssec" lines from the options section of my "named.conf" file and restarted named. It would then answer recursive queries. The primary name server runs NetBSD/sparc-7.0_BETA. I attached 'ktruss' to the process and noticed a number of reads of file descriptors (sockets?) that ended with "ENOENT" indicating that whatever file it wanted didn't exist or "EAGAIN" indicating a temporary resource shortage. Also some "recvfrom()" and "sendto()" calls with the same result. There was one anomaly I could see. As I run my 'named' chrooted, the "/etc/rndc.key" is a symlink pointing to the relocated file in the chroot directory. Somehow the file had been removed, resulting in a broken link. This caused '/etc/rc.d/named' to try to regenerate the file, but 'rndc-confgen' would claim it already existed. Removing the symlink and restarting regenerated the file and relocated it properly. Unfortunately, this didn't solve the problem. My backup name server runs NetBSD/amd64-7.0_BETA and it answers recursive queries with DNSSEC enabled. (The sparc machine's disk is in need of replacement, but I haven't been able to do so yet. I have a suspicion that the issue is a library in a bad spot on the disk. I would expect kernel messages about that, but there haven't been any.) -- |/"\ John D. Baker, KN5UKS NetBSD Darwin/MacOS X |\ / jdbaker[snail]mylinuxisp[flyspeck]com OpenBSD FreeBSD | X No HTML/proprietary data in email. BSD just sits there and works! |/ \ GPGkeyID: D703 4A7E 479F 63F8 D3F4 BD99 9572 8F23 E4AD 1645
