Hi. On Mon, Mar 13, 2023 at 10:57:48AM +0100, local10 wrote: > Mar 13, 2023, 09:32 by jer...@ardley.org: > > > My next best option is simply to remove your bind caching server (it sounds > > like it's not really necessary in your application) > > > > Backup /etc/bind and /var/cache/bind > > then > > systemctl remove bind9 > > systemctl purge bind9
LOL. > > And then edit /etc/resolv.conf to > > > > nameserver 8.8.8.8 > > nameserver 8.8.4.4 And redirect all your DNS queries to Google. I mean, people, if you suggest using a public DNS you could at least consider suggesting a privacy-respecting one, like 9.9.9.9. > Sure, I could have used some public DNS server and I may have to do that if I > can't get this issue resolved. Still, I'd like to understand why BIND > suddenly stopped working[1] for me and how to fix it. And now to the serious stuff. First things first, the log. Mar 13 05:03:18 tst named[52836]: 13-Mar-2023 05:03:18.963 queries: info: client @0x7f7812816d68 127.0.0.1#38800 (www.yahoo.com <http://www.yahoo.com>): query: www.yahoo.com <http://www.yahoo.com> IN A +E(0)K (127.0.0.1) Mar 13 05:03:21 tst named[52836]: 13-Mar-2023 05:03:21.631 dnssec: warning: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out The keyword here is not "managed-keys-zone", it's "dnssec". Second, to put it bluntly, if you force bind9 to do DNSSEC validation (which is enabled by default), bind9 won't be able to lookup anything unless it is trusting root DNSSEC key. Like, for your own security and stuff :) Third, as every DNSSEC key, root zone keys have their expiration. Meaning, you did not have to change anything to break your setup, every time you deal with DNSSEC you're dealing with a ticking bomb anyway. Fourth, Debian packaging helpfully forces bind9 to depend on dns-root-data, which should provide a current DNSSEC root key (KSK to be precise), but bind9 could also take said key from /etc/bind/bind.keys. In conclusion: 1) Check the contents of your /etc/bind/bind.keys, update if needed. 2) Check the version of your dns-root-data, versions above and including 2021011101 (aka ksk id 20326) are good. 3) Set "dnssec-validation no;" at named.conf.options as a last resort. 4) If you intend to troubleshoot DNS queries then consider installing tcpdump. The thing helps. Reco
