Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On Tue, Mar 14, 2023 at 08:05:55PM +, Darac Marjal wrote: > On 13/03/2023 23:23, Greg Wooledge wrote: > > I have not to this day figured out what "vendor preset" means here. > It would appear to be > https://www.freedesktop.org/software/systemd/man/systemd.preset.html. If I'm > reading the

Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On 13/03/2023 23:23, Greg Wooledge wrote: On Tue, Mar 14, 2023 at 07:04:02AM +0800, Jeremy Ardley wrote: I replicated your test above and it seems your listing has been accidentally truncated... Pipe it through cat to avoid the "left/right scrolling" crap. If you want to do this regularly,

Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Mar 13, 2023, 23:33 by jer...@ardley.org: > You may be happy to learn you can't even install it as a separate package any > more. > > apt  install --reinstall systemd-resolved > Reading package lists... Done > Building dependency tree... Done > Reading state information... Done > Package

Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On Tue, Mar 14, 2023 at 07:33:00AM +0800, Jeremy Ardley wrote: > So the mystery is how it gets onto a system using a standard install and > which package it comes from now and what is done with any presets unicorn:~$ dpkg -S systemd-resolved systemd: /usr/share/man/man8/systemd-resolved.8.gz

Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On 14/3/23 07:23, Greg Wooledge wrote: I have not to this day figured out what "vendor preset" means here. Mine shows the same as yours -- "disabled; vendor preset: enabled". All I care about is the part that says "disabled". That's the actual state. You may be happy to learn you can't

Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On Tue, Mar 14, 2023 at 07:04:02AM +0800, Jeremy Ardley wrote: > I replicated your test above and it seems your listing has been accidentally > truncated... Pipe it through cat to avoid the "left/right scrolling" crap. > jeremy@testldap:~$ systemctl status systemd-resolved > ●

Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On 14/3/23 06:34, Greg Wooledge wrote: On Tue, Mar 14, 2023 at 06:23:09AM +0800, Jeremy Ardley wrote: FYI systed-resolved is the inbuilt debian caching DNS server which may be enabled by default. It is NOT enabled by default. unicorn:~$ systemctl status systemd-resolved ●

Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On 14/3/23 06:34, Greg Wooledge wrote: On Tue, Mar 14, 2023 at 06:23:09AM +0800, Jeremy Ardley wrote: FYI systed-resolved is the inbuilt debian caching DNS server which may be enabled by default. It is NOT enabled by default. It is if you are using NetworkManager -- Jeremy (Lists)

Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On 14/3/23 06:23, Jeremy Ardley wrote: I had a signed DNS error in a similar configuration using a bind authoritive and caching server. It turned out it was systemd-resolved interfering and/or replacing part of the DNS chain FYI systed-resolved is the inbuilt debian caching DNS server

Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On Tue, Mar 14, 2023 at 06:23:09AM +0800, Jeremy Ardley wrote: > FYI systed-resolved is the inbuilt debian caching DNS server which may be > enabled by default. It is NOT enabled by default. unicorn:~$ systemctl status systemd-resolved ● systemd-resolved.service - Network Name Resolution

Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On Mon, Mar 13, 2023 at 11:14:20PM +0100, local10 wrote: > Strangely, the issue resolved itself without me having to do anything. Am > really puzzled as to what it was. Perhaps the internet provider suddenly > started to block DNS queries but then allowed them again? If so, why did > dig's

Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On 14/3/23 06:14, local10 wrote: Strangely, the issue resolved itself without me having to do anything. Am really puzzled as to what it was. Perhaps the internet provider suddenly started to block DNS queries but then allowed them again? If so, why did dig's message say that there was

Re: [SOLVED?] BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

> On Mar 13, 2023, at 4:14 PM, local10 wrote: > > Mar 13, 2023, 21:42 by recovery...@enotuniq.net: > >> Well, it was worth to check it. >> >> >> Next idea is somewhat more complicated. >> >> Install tcpdump. >> Run: >> tcpdump -pni any -s0 -w /tmp/dns.pcap -c 30 udp port 53 or tcp port 53

[SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Mar 13, 2023, 21:42 by recovery...@enotuniq.net: > Well, it was worth to check it. > > > Next idea is somewhat more complicated. > > Install tcpdump. > Run: > tcpdump -pni any -s0 -w /tmp/dns.pcap -c 30 udp port 53 or tcp port 53 > Bounce BIND, wait for a minute at least. > Do some DNS queries.

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Hi. On Mon, Mar 13, 2023 at 08:53:35PM +0100, local10 wrote: > Mar 13, 2023, 12:06 by recovery...@enotuniq.net: > > > Looks correct, assuming that the contents of the key start with AwEAAaz > > and end with V74bU=. > > > > > > Look at /usr/share/dns/root.key. Compare its contents

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Mar 13, 2023, 11:50 by mv...@free.fr: > Did you check memory and disk space as suggested by jeremy ? > There's plenty of free RAM (4GB) and disk space (hundreds of GBs). Regards,

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Mar 13, 2023, 14:11 by ca...@deccio.net: > Based on what I saw in the logs, your resolver is having trouble reaching the > internet.  It shows problems with both the priming query (./NS) and the trust > query (./DNSKEY).  Could you try running the following? > > $ dig +norec @198.41.0.4 . NS >

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Mar 13, 2023, 12:06 by recovery...@enotuniq.net: > Looks correct, assuming that the contents of the key start with AwEAAaz > and end with V74bU=. > > > Look at /usr/share/dns/root.key. Compare its contents with > /etc/bind/bind.keys. Replace the latter if needed. > > "dpkg-reconfigure -plow

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

> On Mar 13, 2023, at 12:08 AM, local10 wrote: > > I have a local caching DNS server that was working fine for a long time but > today, all of a sudden, it stopped resolving queries. > > More info: https://pastebin.com/iW5YeXgS > > Any ideas? Thanks Based on what I saw in the logs, your

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On Mon, Mar 13, 2023 at 12:29:44PM +0100, local10 wrote: > Mar 13, 2023, 10:57 by recovery...@enotuniq.net: > > > And now to the serious stuff. > > > > First things first, the log. > > > > Mar 13 05:03:18 tst named[52836]: 13-Mar-2023 05:03:18.963 queries: info: > > client @0x7f7812816d68

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Le 13 mars 2023 local a écrit : > Sure, I could have used some public DNS server and I may have to do that if I > can't get this issue resolved. Still, I'd like to understand why BIND > suddenly stopped working[1] for me and how to fix it. > > Regards, > > 1. It was working fine yesterday and I

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Mar 13, 2023, 11:24 by g...@wooledge.org: > For the record: > > unicorn:~$ sudo ss -ntlp | grep :53 > [sudo] password for greg: > LISTEN 0 20 0.0.0.0:53 0.0.0.0:* > users:(("dnscache",pid=664,fd=4)) > > In general, ss replaces netstat for this kind of query. I don't

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Mar 13, 2023, 10:57 by recovery...@enotuniq.net: > And now to the serious stuff. > > First things first, the log. > > Mar 13 05:03:18 tst named[52836]: 13-Mar-2023 05:03:18.963 queries: info: > client @0x7f7812816d68 127.0.0.1#38800 (www.yahoo.com > ): query: >

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On Mon, Mar 13, 2023 at 09:19:41AM +0100, local10 wrote: > Mar 13, 2023, 07:25 by jer...@ardley.org: > > > Try > > > > netstat -tulpnW | grep 53 > > > > and see what's listening > > > > Bind seems to be listening on 127.0.0.1 port 53. > > I don't have netstat installed and can't easily install

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Hi. On Mon, Mar 13, 2023 at 10:57:48AM +0100, local10 wrote: > Mar 13, 2023, 09:32 by jer...@ardley.org: > > > My next best option is simply to remove your bind caching server (it sounds > > like it's not really necessary in your application) > > > > Backup /etc/bind and /var/cache/bind

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Mar 13, 2023, 09:32 by jer...@ardley.org: > My next best option is simply to remove your bind caching server (it sounds > like it's not really necessary in your application) > > Backup /etc/bind and /var/cache/bind > > then > > systemctl remove bind9 > > systemctl purge bind9 > > And then edit

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On 13/3/23 17:12, local10 wrote: "debug 1;" doesn't seem to be a valid option, couldn't start BIND with it.  Anyhow, the following is what I get when running "dig www.yahoo.com" Mar 13 05:03:11 tst systemd[1]: Started named.service - BIND Domain Name Server. Mar 13 05:03:11 tst

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Mar 13, 2023, 08:31 by jer...@ardley.org: > Sorry. Last message was garbled. Try this in /etc/bind/named.conf.options > > options { >     // other configuration options ... >     debug 1; >     logging { >     channel debug_log { >     file

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On 13/3/23 16:19, local10 wrote: Mar 13, 2023, 07:25 by jer...@ardley.org: Try netstat -tulpnW | grep 53 and see what's listening Bind seems to be listening on 127.0.0.1 port 53. I don't have netstat installed and can't easily install it as aptitude can't resolve Debian server's name

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On 13/3/23 16:19, local10 wrote: Bind seems to be listening on 127.0.0.1 port 53. I don't have netstat installed and can't easily install it as aptitude can't resolve Debian server's name to an IP, so the following is what I tried: # telnet -4 127.0.0.1 53 Trying 127.0.0.1... Connected to

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Mar 13, 2023, 07:25 by jer...@ardley.org: > Try > > netstat -tulpnW | grep 53 > > and see what's listening > Bind seems to be listening on 127.0.0.1 port 53. I don't have netstat installed and can't easily install it as aptitude can't resolve Debian server's name to an IP, so the following is

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On 13/3/23 14:34, local10 wrote: Mar 13, 2023, 06:19 by jer...@ardley.org: The contents of /etc/resolv.conf are always of interest. There's really not much there: # cat /etc/resolv.conf nameserver 127.0.0.1 That and /etc/nsswitch.conf a/etc/hosts # cat /etc/nsswitch.conf #

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Mar 13, 2023, 06:19 by jer...@ardley.org: > The contents of /etc/resolv.conf are always of interest. > There's really not much there: # cat /etc/resolv.conf nameserver 127.0.0.1 > That and /etc/nsswitch.conf a/etc/hosts > # cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example

Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

On 13/3/23 14:08, local10 wrote: Hi, I have  a local caching DNS server that was working fine for a long time but today, all of a sudden, it stopped resolving queries. More info: https://pastebin.com/iW5YeXgS Any ideas? Thanks The contents of /etc/resolv.conf are always of interest.

BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Hi, I have  a local caching DNS server that was working fine for a long time but today, all of a sudden, it stopped resolving queries. More info: https://pastebin.com/iW5YeXgS Any ideas? Thanks