Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

[Jeremy Ardley]

On 13/3/23 17:12, local10 wrote:

"debug 1;" doesn't seem to be a valid option, couldn't start BIND with it.  Anyhow, the 
following is what I get when running "dig www.yahoo.com"

Mar 13 05:03:11 tst systemd[1]: Started named.service - BIND Domain Name Server.
Mar 13 05:03:11 tst named[52836]: 13-Mar-2023 05:03:11.639 general: notice: 
running
Mar 13 05:03:18 tst named[52836]: 13-Mar-2023 05:03:18.963 queries: info: client 
@0x7f7812816d68 127.0.0.1#38800 (www.yahoo.com <http://www.yahoo.com>): query: 
www.yahoo.com <http://www.yahoo.com> IN A +E(0)K (127.0.0.1)
Mar 13 05:03:21 tst named[52836]: 13-Mar-2023 05:03:21.631 dnssec: warning: 
managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
Mar 13 05:03:21 tst named[52836]: 13-Mar-2023 05:03:21.711 resolver: info: 
resolver priming query complete: timed out
Mar 13 05:03:23 tst named[52836]: 13-Mar-2023 05:03:23.966 queries: info: client 
@0x7f7812817b68 127.0.0.1#51554 (www.yahoo.com <http://www.yahoo.com>): query: 
www.yahoo.com <http://www.yahoo.com> IN A +E(0)K (127.0.0.1)
Mar 13 05:03:28 tst named[52836]: 13-Mar-2023 05:03:28.970 queries: info: client 
@0x7f78c9eb1168 127.0.0.1#42404 (www.yahoo.com <http://www.yahoo.com>): query: 
www.yahoo.com <http://www.yahoo.com> IN A +E(0)K (127.0.0.1)
Mar 13 05:03:30 tst named[52836]: 13-Mar-2023 05:03:30.970 resolver: info: shut down 
hung fetch while resolving 'www.yahoo.com/A <http://www.yahoo.com/A>'
Mar 13 05:03:30 tst named[52836]: 13-Mar-2023 05:03:30.970 query-errors: info: client 
@0x7f78c9eb1168 127.0.0.1#42404 (www.yahoo.com <http://www.yahoo.com>): query failed 
(operation canceled) for www.yahoo.com/IN/A <http://www.yahoo.com/IN/A> at 
query.c:7775
Mar 13 05:03:30 tst named[52836]: 13-Mar-2023 05:03:30.970 query-errors: info: client 
@0x7f7812816d68 127.0.0.1#38800 (www.yahoo.com <http://www.yahoo.com>): query failed 
(operation canceled) for www.yahoo.com/IN/A <http://www.yahoo.com/IN/A> at 
query.c:7775
Mar 13 05:03:30 tst named[52836]: 13-Mar-2023 05:03:30.970 query-errors: info: client 
@0x7f7812817b68 127.0.0.1#51554 (www.yahoo.com <http://www.yahoo.com>): query failed 
(operation canceled) for www.yahoo.com/IN/A <http://www.yahoo.com/IN/A> at 
query.c:7775
Mar 13 05:03:38 tst named[52836]: 13-Mar-2023 05:03:38.966 resolver: info: 
resolver priming query complete: timed out

My next best option is simply to remove your bind caching server (it 
sounds like it's not really necessary in your application)

Backup /etc/bind and /var/cache/bind

then

systemctl remove bind9

systemctl purge bind9

And then edit /etc/resolv.conf to

nameserver 8.8.8.8
nameserver 8.8.4.4

and with luck everything will work O.K.

You can do variants on that to use your ISP DNS servers instead

You have to be careful in systemd about network processes overwriting 
/etc/resolv.conf. e.g. if you get a DHCP address, or if your system is 
somehow configured to use systemd-resolved which I know to have problems.

Actually before your start anything do

systemctl status systemd-resolved

and if it's not installed things should be fine.

You may get

systemctl status systemd-resolved
● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/lib/systemd/system/systemd-resolved.service; 
disabled; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:systemd-resolved.service(8)
             man:org.freedesktop.resolve1(5)
https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients

which is fine also.

In any case research on its configuration with

man systemd-resolved

I recall it uses a local address 127.0.0.53 to receive DNS queries

--
Jeremy
(Lists)