Hello All,
We are facing some resolution problems on a CENTOS resolver that deploys bind
9.11.36-S1 with DNSSEC being activated.
The logs in 'default.logs' shows the current errors :
X-Sep-2022 10:34:29.348 dnssec: info: validating shalltry.com/SOA: bad cache
hit (shalltry.com/DS)
X-Sep-2022 10:34:29.363 dnssec: info: validating osupdate2020.shalltry.com/A:
bad cache hit (shalltry.com/DS)
X-Sep-2022 10:34:29.411 dnssec: info: validating static.cnews.fr/NSEC: no
valid signature found
X-Sep-2022 10:34:29.445 dnssec: info: validating
ocsp.comodoca.com.cdn.cloudflare.net/A: bad cache hit (cloudflare.net/DNSKEY)
X-Sep-2022 10:34:29.447 dnssec: info: validating
cdn.jsdelivr.net.cdn.cloudflare.net/A: bad cache hit (cloudflare.net/DNSKEY)
X-Sep-2022 10:34:29.558 dnssec: info: validating oshola.shalltry.com/A: bad
cache hit (shalltry.com/DS)
X-Sep-2022 10:34:29.567 dnssec: info: validating ds.shalltry.com/A: bad cache
hit (shalltry.com/DS)
X-Sep-2022 10:34:29.570 dnssec: info: validating cdn.shalltry.com/A: bad cache
hit (shalltry.com/DS)
Each night we noticed the occurence of a resolution problem (mini crisis) where
requestes receive 'ServFail' for random domains, the maximum recursive clients
is also reached along with the appearance of the error in the logs being highly
increased. Even known domain names like apple.com and google.com receive
'ServFail' when requested. Once flushing the cache, the situation gets back to
normal and bind starts functionning correctly.
In fact, by activating dnssec.log, we noticed these errors : 'no walidating
signature found'.
When deactivating DNSSEC, we noticed that there are no more crisis for now.
Any possible explanation? Have anyone faced this problem before?
Best regards.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users