Dnssec issues

2022-09-22 Thread salma smaoui 
Hello All,

We are facing some resolution problems on a CENTOS resolver that deploys bind 
9.11.36-S1 with DNSSEC being activated.
The logs in 'default.logs' shows the current errors :
X-Sep-2022 10:34:29.348 dnssec: info:   validating shalltry.com/SOA: bad cache 
hit (shalltry.com/DS)
X-Sep-2022 10:34:29.363 dnssec: info: validating osupdate2020.shalltry.com/A: 
bad cache hit (shalltry.com/DS)
X-Sep-2022 10:34:29.411 dnssec: info:   validating static.cnews.fr/NSEC: no 
valid signature found
X-Sep-2022 10:34:29.445 dnssec: info: validating 
ocsp.comodoca.com.cdn.cloudflare.net/A: bad cache hit (cloudflare.net/DNSKEY)
X-Sep-2022 10:34:29.447 dnssec: info: validating 
cdn.jsdelivr.net.cdn.cloudflare.net/A: bad cache hit (cloudflare.net/DNSKEY)
X-Sep-2022 10:34:29.558 dnssec: info: validating oshola.shalltry.com/A: bad 
cache hit (shalltry.com/DS)
X-Sep-2022 10:34:29.567 dnssec: info: validating ds.shalltry.com/A: bad cache 
hit (shalltry.com/DS)
X-Sep-2022 10:34:29.570 dnssec: info: validating cdn.shalltry.com/A: bad cache 
hit (shalltry.com/DS)
Each night we noticed the occurence of a resolution problem (mini crisis) where 
requestes receive 'ServFail' for random domains, the maximum recursive clients 
is also reached along with the appearance of the error in the logs being highly 
increased. Even known domain names like apple.com and google.com receive 
'ServFail' when requested.  Once flushing the cache, the situation gets back to 
normal and bind starts functionning correctly.
In fact, by activating dnssec.log, we noticed these errors : 'no walidating 
signature found'.
When deactivating DNSSEC, we noticed that there are no more crisis for now.
Any possible explanation? Have anyone faced this problem before?

Best regards.


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dig: couldn't get address for root servers

2021-10-27 Thread salma smaoui 
Greetings,

Hope you're all doing great.
Actually, I am using bind 9.11.28-S1, and I am facing some problems : whenever 
I use the command dig +trace, I came across this error : dig: couldn't get 
address for 'F.ROOT-SERVERS.NET': failure.
Does anyone have an idea why I see this error ? It is really causing DNS 
failures.
Best regards.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users