I have 3 CentOS 8 servers running Unbound (the CentOS packaged version, 1.7.3 with patches). Periodically, one of them will stop being able to validate any DNSSEC, causing lookup failures. I haven't been able to find any common incident or trigger that may be causing it (it'll only happen on one at a time, but has happened at least once to each of the three).
It starts with log entries like: Nov 22 14:01:28 dns-cache3 unbound[1117]: [1117:0] info: validation failure . SOA IN Then when it tries to do the RFC keytag query: Nov 22 16:20:52 dns-cache3 unbound[1117]: [1117:0] info: generate keytag query _ta-4f66. NULL IN Nov 22 16:20:52 dns-cache3 unbound[1117]: [1117:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN Nov 22 16:20:52 dns-cache3 unbound[1117]: [1117:0] info: generate keytag query _ta-4f66. NULL IN And then eventually all validation fails. It's just about the default (at least CentOS-packaged) config, with just adjustments for the cache sizes and ACLs. The VMs are just running unbound and keepalived (to float virtual IPs around with VRRP). Is there any known issue that can cause this, either in Unbound itself or external (on the VMs, the network, etc.)? I checked that the clocks are correct. I've been running Unbound on lots of ISP servers for years, and this is the only setup where I've had this problem. -- Chris Adams <[email protected]>
