Re: [CentOS] CentOS 6.10 bind DNSSEC issues

2020-03-25 Thread Chris Adams 
Once upon a time, Robert Heller  said:
> Yes.  The installed ISC DLV key installed with 
> bind-9.8.2-0.68.rc1.el6_10.3.x86_64 seems to have expired and there does not 
> appear to be a new bind-9.8.2 RPM with a new key.  I guess you can *manually* 
> fetch a new key (look in the installed /etc/named.iscdlv.key file)

ISC DLV has been obsolete for a while now, you should disable it.

> dnssec-lookaside auto;

I think setting this to "no" and restarting named should do it.
-- 
Chris Adams 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6.10 bind DNSSEC issues

2020-03-25 Thread Robert Heller 
At Wed, 25 Mar 2020 17:03:23 + CentOS mailing list  
wrote:

> 
> Hi,
> 
>      Anyone else had any issues with CentOS 6.10 bind DNS server 
> issues 

Yes.  The installed ISC DLV key installed with 
bind-9.8.2-0.68.rc1.el6_10.3.x86_64 seems to have expired and there does not 
appear to be a new bind-9.8.2 RPM with a new key.  I guess you can *manually* 
fetch a new key (look in the installed /etc/named.iscdlv.key file)

OR

You can just disable dnssec, by commenting out these lines:

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

and restarting named.

> this afternoon.
> 
> At 16:26 (GMT) had alerts for DNS failures against our CentOS 6.10 bind 
> DNS servers
> from our monitoring system.
> 
> Sure enough DNS requests via the server was failing, checking the 
> named.log showed
> dnssec issues;
> 
> 25-Mar-2020 16:26:10.285 dnssec: info: validating @0xb48b17c0: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.337 dnssec: info: validating @0xb4858cb0: 
> push.services.mozilla.com : bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb48b17c0: 
> push.services.mozilla.com : bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb4858cb0: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.359 dnssec: info: validating @0xb1ec0030: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.360 dnssec: info: validating @0xb462c430: 
> push.services.mozilla.com : bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb48b17c0: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb4858cb0: 
> push.services.mozilla.com : bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.451 dnssec: info: validating @0xb1ec0030: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.452 dnssec: info: validating @0xb462c430: 
> push.services.mozilla.com : bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb1ec0030: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb462c430: 
> push.services.mozilla.com : bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb1ec0030: 
> push.services.mozilla.com : bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb462c430: 
> push.services.mozilla.com A: bad cache hit 
> (push.services.mozilla.com.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.898 dnssec: info: validating @0xb48b17c0: 
> www.kernel.org : bad cache hit (www.kernel.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.899 dnssec: info: validating @0xb4858cb0: 
> www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb1ec0030: 
> www.national-lottery.co.uk A: bad cache hit 
> (www.national-lottery.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb48b17c0: 
> www.mirrorservice.org A: bad cache hit 
> (www.mirrorservice.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb462c430: 
> www.national-lottery.co.uk : bad cache hit 
> (www.national-lottery.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.903 dnssec: info: validating @0xb48b17c0: 
> www.mirrorservice.org : bad cache hit 
> (www.mirrorservice.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.908 dnssec: info: validating @0xb1ec0030: 
> www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.909 dnssec: info: validating @0xb462c430: 
> www.kernel.org : bad cache hit (www.kernel.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.914 dnssec: info: validating @0xb48b17c0: 
> www.mirrorservice.org A: bad cache hit 
> (www.mirrorservice.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb4858cb0: 
> www.mirrorservice.org : bad cache hit 
> (www.mirrorservice.org.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb48b17c0: 
> www.national-lottery.co.uk : bad cache hit 
> (www.national-lottery.co.uk.dlv.isc.org/DLV)
> 25-Mar-2020 16:26:10.916 dnssec: info: validating @0xb48b17c0: 
> www.national-lottery.co.uk A: bad cache hit 
> (www.national-lottery.co.uk.dlv.

[CentOS] CentOS 6.10 bind DNSSEC issues

2020-03-25 Thread Support 

Hi,

    Anyone else had any issues with CentOS 6.10 bind DNS server issues 
this afternoon.


At 16:26 (GMT) had alerts for DNS failures against our CentOS 6.10 bind 
DNS servers

from our monitoring system.

Sure enough DNS requests via the server was failing, checking the 
named.log showed

dnssec issues;

25-Mar-2020 16:26:10.285 dnssec: info: validating @0xb48b17c0: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.337 dnssec: info: validating @0xb4858cb0: 
push.services.mozilla.com : bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb48b17c0: 
push.services.mozilla.com : bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.349 dnssec: info: validating @0xb4858cb0: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.359 dnssec: info: validating @0xb1ec0030: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.360 dnssec: info: validating @0xb462c430: 
push.services.mozilla.com : bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb48b17c0: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.441 dnssec: info: validating @0xb4858cb0: 
push.services.mozilla.com : bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.451 dnssec: info: validating @0xb1ec0030: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.452 dnssec: info: validating @0xb462c430: 
push.services.mozilla.com : bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb1ec0030: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.463 dnssec: info: validating @0xb462c430: 
push.services.mozilla.com : bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb1ec0030: 
push.services.mozilla.com : bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.474 dnssec: info: validating @0xb462c430: 
push.services.mozilla.com A: bad cache hit 
(push.services.mozilla.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.898 dnssec: info: validating @0xb48b17c0: 
www.kernel.org : bad cache hit (www.kernel.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.899 dnssec: info: validating @0xb4858cb0: 
www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb1ec0030: 
www.national-lottery.co.uk A: bad cache hit 
(www.national-lottery.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb48b17c0: 
www.mirrorservice.org A: bad cache hit 
(www.mirrorservice.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.902 dnssec: info: validating @0xb462c430: 
www.national-lottery.co.uk : bad cache hit 
(www.national-lottery.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.903 dnssec: info: validating @0xb48b17c0: 
www.mirrorservice.org : bad cache hit 
(www.mirrorservice.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.908 dnssec: info: validating @0xb1ec0030: 
www.kernel.org A: bad cache hit (www.kernel.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.909 dnssec: info: validating @0xb462c430: 
www.kernel.org : bad cache hit (www.kernel.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.914 dnssec: info: validating @0xb48b17c0: 
www.mirrorservice.org A: bad cache hit 
(www.mirrorservice.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb4858cb0: 
www.mirrorservice.org : bad cache hit 
(www.mirrorservice.org.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.915 dnssec: info: validating @0xb48b17c0: 
www.national-lottery.co.uk : bad cache hit 
(www.national-lottery.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.916 dnssec: info: validating @0xb48b17c0: 
www.national-lottery.co.uk A: bad cache hit 
(www.national-lottery.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb1ec0030: 
www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.925 dnssec: info: validating @0xb48b17c0: 
www.boredpanda.com : bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb48b17c0: 
www.bbc.co.uk : bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.927 dnssec: info: validating @0xb4858cb0: 
www.bbc.co.uk A: bad cache hit (www.bbc.co.uk.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb48b17c0: 
www.boredpanda.com A: bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
25-Mar-2020 16:26:10.935 dnssec: info: validating @0xb4858cb0: 
www.boredpanda.com : bad cache hit (www.boredpanda.com.dlv.isc.org/DLV)
2