As per your previous email 17:54 where you share Sparklight response,
Quad9 uses strict DNS checking iirc, you should add another couple of
cloud DNS resolvers like 1.1.1.1 and 8.8.8.8 that fall back to resolve
when DNSSEC is broken at destination.
forwarders {
// Sparklight
// 24.116.0.53;
// 24.116.2.50;
9.9.9.9;
8.8.8.8;
1.1.1.1;
Others will probably have smarter thoughts to share than this but it
should get you working again.
HTH,
Ed.
On 23/09/2022 20:18, Philip Prindeville wrote:
Hi all,
I've changed locations (moved houses) and consequently ISPs (now on Sparklight,
used to have CTC) and I'm seeing a slew of DNS issues I didn't have before like:
Sep 23 11:42:13 OpenWrt3 named[28113]: timed out resolving
'wdatpsngatewaytmcacane.trafficmanager.net/A/IN': 9.9.9.9#53
Sep 23 11:42:21 OpenWrt3 named[28113]: timed out resolving 'ubuntu.com/DS/IN':
9.9.9.9#53
Sep 23 11:42:21 OpenWrt3 named[28113]: broken trust chain resolving
'connectivity-check.ubuntu.com/A/IN': 9.9.9.9#53
Sep 23 11:42:31 OpenWrt3 named[28113]: managed-keys-zone: Key 20326 for zone .
is now trusted (acceptance timer complete)
Sep 23 11:42:44 OpenWrt3 named[28113]: timed out resolving
'visualstudio.com/DS/IN': 9.9.9.9#53
Sep 23 11:42:44 OpenWrt3 named[28113]: broken trust chain resolving
'dc.services.visualstudio.com/A/IN': 9.9.9.9#53
Sep 23 11:43:19 OpenWrt3 named[28113]: timed out resolving
'connectivity-check.ubuntu.com/A/IN': 9.9.9.9#53
Sep 23 11:43:20 OpenWrt3 named[28113]: timed out resolving
'tp.b16066390-frontier.amazonalexa.com/A/IN': 9.9.9.9#53
Sep 23 11:43:22 OpenWrt3 named[28113]: timed out resolving
'connectivity-check.ubuntu.com/A/IN': 9.9.9.9#53
Sep 23 11:43:22 OpenWrt3 named[28113]: timed out resolving
'fmfmobile.fe.apple-dns.net/A/IN': 9.9.9.9#53
Sep 23 11:43:26 OpenWrt3 named[28113]: timed out resolving
'connectivity-check.ubuntu.com/A/IN': 9.9.9.9#53
Sep 23 11:43:26 OpenWrt3 named[28113]: timed out resolving
'tp.b16066390-frontier.amazonalexa.com/A/IN': 9.9.9.9#53
Sep 23 11:43:45 OpenWrt3 named[28113]: timed out resolving
'us-sandbox-courier-4.push-apple.com.akadns.net/A/IN': 9.9.9.9#53
Sep 23 11:43:45 OpenWrt3 named[28113]: timed out resolving
'e6858.dscx.akamaiedge.net/A/IN': 9.9.9.9#53
Sep 23 11:43:50 OpenWrt3 named[28113]: timed out resolving
'imap.gmail.com/A/IN': 9.9.9.9#53
Sep 23 11:43:50 OpenWrt3 named[28113]: timed out resolving
'mail.employees.org/A/IN': 9.9.9.9#53
Sep 23 11:43:55 OpenWrt3 named[28113]: timed out resolving
'swdist.apple.com/A/IN': 9.9.9.9#53
Sep 23 11:43:56 OpenWrt3 named[28113]: validating x.incapdns.net/SOA: no
valid signature found
Sep 23 11:44:08 OpenWrt3 named[28113]: timed out resolving
'16.courier-push-apple.com.akadns.net/A/IN': 9.9.9.9#53
Sep 23 11:44:09 OpenWrt3 named[28113]: timed out resolving 'sdk.split.io/A/IN':
9.9.9.9#53
Sep 23 11:44:09 OpenWrt3 named[28113]: timed out resolving
'e3.shared.global.fastly.net/HTTPS/IN': 9.9.9.9#53
Sep 23 11:45:39 OpenWrt3 named[28113]: timed out resolving
's-0005.s-msedge.net/HTTPS/IN': 9.9.9.9#53
Sep 23 11:45:49 OpenWrt3 named[28113]: timed out resolving
'onedscolprdwus03.westus.cloudapp.azure.com/A/IN': 9.9.9.9#53
Sep 23 11:46:24 OpenWrt3 named[28113]: timed out resolving
'onedscolprdwus03.westus.cloudapp.azure.com/A/IN': 9.9.9.9#53
Sep 23 11:47:07 OpenWrt3 named[28113]: timed out resolving
'e6987.a.akamaiedge.net/A/IN': 9.9.9.9#53
Sep 23 11:49:05 OpenWrt3 named[28113]: timed out resolving
'teams.office.com/A/IN': 9.9.9.9#53
Sep 23 11:49:29 OpenWrt3 named[28113]: timed out resolving
'2.courier-push-apple.com.akadns.net/A/IN': 9.9.9.9#53
Sep 23 11:49:29 OpenWrt3 named[28113]: timed out resolving
'gateway.fe.apple-dns.net/A/IN': 9.9.9.9#53
Sep 23 11:50:03 OpenWrt3 named[28113]: timed out resolving
'ak.privatelink.msidentity.com/A/IN': 9.9.9.9#53
Sep 23 11:50:19 OpenWrt3 named[28113]: timed out resolving
'safebrowsing.googleapis.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'netgear.com/DS/IN':
9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving
'_adsp._domainkey.netgear.com/TXT/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving
'image.e.netgear.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving
'netgear.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving
'netgear.com/NS/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving
'community.netgear.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving
'www.netgear.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving
'support-intelligence.net/DS/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving
'netgear.com.dob.sibl.support-intelligence.net/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving
'khoros-mail.com.dob.sibl.support-intelligence.net/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving
'58.249.124.192.zen.spamhaus.org/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving
'ns3.dnsmadeeasy.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving
'ns4.dnsmadeeasy.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving
'ns0.dnsmadeeasy.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'sendgrid.net/A/IN':
9.9.9.9#53
Sep 23 11:50:46 OpenWrt3 named[28113]: timed out resolving
'gateway.fe.apple-dns.net/A/IN': 9.9.9.9#53
Sep 23 11:51:23 OpenWrt3 named[28113]: timed out resolving
'amazonalexa.com/DS/IN': 9.9.9.9#53
Sep 23 11:51:23 OpenWrt3 named[28113]: broken trust chain resolving
'tp.b16066390-frontier.amazonalexa.com/AAAA/IN': 9.9.9.9#53
Sep 23 11:51:59 OpenWrt3 named[28113]: timed out resolving
'sdk.split.io/HTTPS/IN': 9.9.9.9#53
Sep 23 11:52:20 OpenWrt3 named[28113]: timed out resolving
'www-linkedin-com.l-0005.l-msedge.net/A/IN': 9.9.9.9#53
Sep 23 11:53:04 OpenWrt3 named[28113]: timed out resolving
'calendar.google.com/HTTPS/IN': 9.9.9.9#53
Sep 23 11:53:04 OpenWrt3 named[28113]: timed out resolving
'calendar.google.com/A/IN': 9.9.9.9#53
Sep 23 11:56:04 OpenWrt3 named[28113]: timed out resolving
'113673-23.chat.api.drift.com/HTTPS/IN': 9.9.9.9#53
Sep 23 11:56:07 OpenWrt3 named[28113]: timed out resolving
'trouter2-azsc-usce-1-b.cloudapp.net/AAAA/IN': 9.9.9.9#53
Sep 23 11:57:46 OpenWrt3 named[28113]: timed out resolving
'azurewebsites.net/DS/IN': 9.9.9.9#53
Sep 23 11:57:46 OpenWrt3 named[28113]: broken trust chain resolving
'opensourcereposprod.azurewebsites.net/A/IN': 9.9.9.9#53
Sep 23 11:58:04 OpenWrt3 named[28113]: timed out resolving
'gateway.prod.us-east-1.forester.a2z.com/A/IN': 9.9.9.9#53
Sep 23 11:58:04 OpenWrt3 named[28113]: timed out resolving
'gateway.prod.us-east-1.forester.a2z.com/HTTPS/IN': 9.9.9.9#53
Sep 23 11:58:51 OpenWrt3 named[28113]: timed out resolving
'crateandbarrel.syf.com.edgekey.net/A/IN': 9.9.9.9#53
Sep 23 11:58:51 OpenWrt3 named[28113]: timed out resolving
'awsdns-40.net/DS/IN': 9.9.9.9#53
Sep 23 11:58:51 OpenWrt3 named[28113]: broken trust chain resolving
'ns-832.awsdns-40.net/A/IN': 9.9.9.9#53
Sep 23 11:59:04 OpenWrt3 named[28113]: timed out resolving
'pd-cdn.itunes-apple.com.akadns.net/HTTPS/IN': 9.9.9.9#53
Sep 23 11:59:13 OpenWrt3 named[28113]: timed out resolving
'prod.ocws1.live.com.akadns.net/A/IN': 9.9.9.9#53
As you can see, a LOT of noise.
And I can't use the ISP's name servers because they've disabled DNSSEC (which
frankly terrifies me).
My config largely looks like:
// This is the primary configuration file for the BIND DNS server named.
options {
directory "/tmp";
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
// Sparklight
// 24.116.0.53;
// 24.116.2.50;
9.9.9.9;
};
recursion yes;
// note that all subnets are visible to each other;
// if we wished to isolate them we could use "views".
allow-query {
localhost;
192.168.6.0/24;
192.168.7.0/24;
192.168.8.0/24;
};
auth-nxdomain no; # conform to RFC1035
// added by philipp
allow-transfer { none; };
// dnssec-validation no;
dnssec-validation auto;
listen-on-v6 { none; };
};
include "/etc/bind/named-rndc.conf";
include "/tmp/bind/named.conf.local";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
And /tmp/bind/named.conf.local relates to a couple of dynamically generated
zones that ISC-DHCP writes:
zone "redfish-solutions.com" {
type master;
file "/tmp/bind/db.redfish-solutions.com";
update-policy {
grant local-ddns zonesub any;
};
};
zone "168.192.in-addr.arpa" {
type master;
file "/tmp/bind/db.168.192.in-addr.arpa";
update-policy {
grant local-ddns zonesub any;
};
};
Why all the timeouts and broken trust chains?
Is something wrong with my configuration? My build is:
BIND 9.18.4 (Stable Release) <id:1712e5b>
running on Linux x86_64 5.10.75 #0 SMP Thu Oct 28 23:05:28 2021
built by make with '--target=x86_64-openwrt-linux'
'--host=x86_64-openwrt-linux' '--build=x86_64-pc-linux-gnu' '--program-prefix='
'--program-suffix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--libexecdir=/usr/lib' '--sysconfdir=/etc'
'--datadir=/usr/share' '--localstatedir=/var' '--mandir=/usr/man'
'--infodir=/usr/info'
'--with-openssl=/home/philipp/lede/staging_dir/target-x86_64_musl/usr'
'--without-lmdb' '--enable-epoll' '--without-gssapi' '--without-readline'
'--sysconfdir=/etc/bind' '--with-json-c=no' '--with-libxml2=no' '--enable-doh'
'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-openwrt-linux'
'target_alias=x86_64-openwrt-linux' 'CC=x86_64-openwrt-linux-musl-gcc'
'CFLAGS=-Os -pipe -fno-caller-saves -fno-plt -fhonour-copts
-Wno-error=unused-but-set-variable -Wno-error=unused-result
-fmacro-prefix-map=/home/philipp/lede/build_dir/target-x86_64_musl/bind-9.18.4=bind-9.18.4
-Wformat -Werror=format-security -fstack-protector -D_FORTI
FY
_SOURCE=1 -Wl,-z,now -Wl,-z,relro '
'LDFLAGS=-L/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/usr/lib
-L/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/lib -znow
-zrelro -Wl,--gc-sections,--as-needed '
'CPPFLAGS=-I/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/usr/include
-I/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/include/fortify
-I/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/include '
'PKG_CONFIG=/home/philipp/lede/staging_dir/host/bin/pkg-config'
'PKG_CONFIG_PATH=/home/philipp/lede/staging_dir/target-x86_64_musl/usr/lib/pkgconfig:/home/philipp/lede/staging_dir/target-x86_64_musl/usr/share/pkgconfig'
'PKG_CONFIG_LIBDIR=/home/philipp/lede/staging_dir/target-x86_64_musl/usr/lib/pkgconfig:/home/philipp/lede/staging_dir/target-x86_64_musl/usr/share/pkgconfig'
compiled by GCC 11.3.0
compiled with OpenSSL version: OpenSSL 1.1.1q 5 Jul 2022
linked to OpenSSL version: OpenSSL 1.1.1l 24 Aug 2021
compiled with libuv version: 1.44.1
linked to libuv version: 1.41.1
compiled with libnghttp2 version: 1.44.0
linked to libnghttp2 version: 1.44.0
compiled with zlib version: 1.2.12
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
And it gets fired up as:
/usr/sbin/named -u bind -f -c /etc/bind/named.conf
Via the init.d wrapper.
Probably should run it with -4 since my ISP didn't provide me an IPv6
address... I'll look into an easy way of detecting IPv6 provisioning on
public interfaces and add that argument if it's absent.
-Philip
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
