Re: Bind failures following update/reboot w/ 9.18.1

2022-12-27 Thread Philip Prindeville
Saw this at startup: 18:09:14.595420 IP (tos 0x0, ttl 57, id 35985, offset 0, flags [none], proto UDP (17), length 1167) 192.58.128.30.53 > 24.116.100.90.53955: [udp sum ok] 64207*- q: DNSKEY? . 4/0/1 . DNSKEY, . DNSKEY, . DNSKEY, . RRSIG ar: . OPT UDPsize=1472 DO (1139) 18:09:14.597537 IP (

Re: Bind failures following update/reboot w/ 9.18.1

2022-12-27 Thread Philip Prindeville
> On May 14, 2022, at 12:35 AM, Matus UHLAR - fantomas > wrote: > > On 13.05.22 10:06, Philip Prindeville wrote: >> After rebooting my OpenWRT router with Bind 9.18.1 yesterday, I started >> seeing a lot of: >> >> >> May 12 19:24:06 OpenWrt named[11061]: validating ./NS: no valid signature

Re: Bind failures following update/reboot w/ 9.18.1

2022-05-13 Thread Matus UHLAR - fantomas
On 13.05.22 10:06, Philip Prindeville wrote: After rebooting my OpenWRT router with Bind 9.18.1 yesterday, I started seeing a lot of: May 12 19:24:06 OpenWrt named[11061]: validating ./NS: no valid signature found May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid signature fou

Re: Bind failures following update/reboot w/ 9.18.1

2022-05-13 Thread Greg Choules via bind-users
Your MTU is not the point. It's what happens beyond your equipment that may have a bearing. However, as I said, I don't think IP fragmentation will be your problem in this case, so that's a whole other discussion for a different day. pcaps are your friend though. From a packet capture you can see e

Re: Bind failures following update/reboot w/ 9.18.1

2022-05-13 Thread Philip Prindeville
My MTU is 1500 bytes, so I don't think that's the problem. But UDP can fragment via IP... > On May 13, 2022, at 10:34 AM, Greg Choules > wrote: > > Hi Philip. > Can you run packet captures? I'm running 9.18.0 (close enough?) in Docker and > just traced what happens going from "dnssec-validat

Re: Bind failures following update/reboot w/ 9.18.1

2022-05-13 Thread Greg Choules via bind-users
Hi Philip. Can you run packet captures? I'm running 9.18.0 (close enough?) in Docker and just traced what happens going from "dnssec-validation no;" to "dnssec-validation auto;" It makes a DNSKEY query for "." to one of the roots. The response size was over 900 bytes, so depending on what UDP paylo

Bind failures following update/reboot w/ 9.18.1

2022-05-13 Thread Philip Prindeville
After rebooting my OpenWRT router with Bind 9.18.1 yesterday, I started seeing a lot of: May 12 19:24:06 OpenWrt named[11061]: validating ./NS: no valid signature found May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid signature found May 12 19:24:06 OpenWrt named[11061]: no val