On 25/03/2020 20:56, Havard Eidnes wrote:
My caching dns failed unexpectedly today, apparently I was not alone:
https://www.mail-archive.com/bind-users@lists.isc.org/msg28624.html
From ISC: "We apparently let our signatures on dlv.isc.org expire."
Ouch!
I fixed this temporarily by adding:
dnssec-accept-expired yes;
Which feels risky...
Yes, I would not do that.
Another user on the ISC list suggested setting
dnssec-lookaside no;
Which also feels risky.
No, that's not risky at all!
Not only that putting dnssec back to auto and removing dnssec-lookaside
and everything works:
$ ping6 www.google.com
PING6(56=40+8+8 bytes) 2001:8b0:84:1::1 --> 2a00:1450:4009:819::2004
16 bytes from 2a00:1450:4009:819::2004, icmp_seq=0 hlim=58 time=13.812 ms
16 bytes from 2a00:1450:4009:819::2004, icmp_seq=1 hlim=58 time=13.589 ms
16 bytes from 2a00:1450:4009:819::2004, icmp_seq=2 hlim=58 time=13.519 ms
And even:
$ ping protonmail.ch
PING protonmail.ch (185.70.41.32): 56 data bytes
64 bytes from 185.70.41.32: icmp_seq=0 ttl=55 time=34.651610 ms
64 bytes from 185.70.41.32: icmp_seq=1 ttl=55 time=34.876867 ms
64 bytes from 185.70.41.32: icmp_seq=2 ttl=55 time=34.690384 ms
So this fixes the protonmail.ch problem as well which I could reproduce
as well.
Mike