On Thu, Oct 11, 2018, at 9:40 AM, Viktor Dukhovni wrote:
> On Thu, Oct 11, 2018 at 11:24:13AM -0400, Viktor Dukhovni wrote:
>
> > In case you've not seen this many other places, just a friendly
> > reminder that ICANN is rolling the DNSSEC root KSK today. Make
> > sure your resolver (if it is validating) is ready. If you're
> > forwarding queries to an upstream resolver, you might also check
> > that the upstream is ready.
Thx for the reminder ... seems quite timely!
Can you comment just a bit further on 'ready'?
Literally not long after I received your notice above bout the roll, here, all
queries stopped working, and server can't be restarted.
Logs on, e.g.,
dig A google.com
contain
...
Oct 11 10:09:00 ns01 named[4116]: 11-Oct-2018 10:09:00.435 resolver:
debug 1: fetch: google.com/A
Oct 11 10:09:00 ns01 named[4116]: 11-Oct-2018 10:09:00.484 dnssec:
info: view internal: validating com/DS: bad cache hit (./DNSKEY)
Oct 11 10:09:00 ns01 named[4116]: 11-Oct-2018 10:09:00.484
lame-servers: info: broken trust chain resolving 'google.com/A/IN':
2001:4860:4802:36::a#53
Oct 11 10:09:00 ns01 named[4116]: 11-Oct-2018 10:09:00.484
query-errors: debug 1: client @0x7efc441cd640 ::1#63498 (google.com): view
internal: query failed (SERVFAIL) for google.com/IN/A at query.c:10692
...
Which seems related to the key roll.
Changing my local dns (named) config to
- dnssec-enable yes;
+ dnssec-enable no;
dnssec-lookaside no;
- dnssec-validation yes;
+ dnssec-validation no;
gets me back up & running, without DNSSEC of course.
> As cached data expires, this should make its way into all working
caches over the next day or two
Is 'ready' simply .... 'wait awhile' ?