| Summary: | named cannot resolve any external domains because of dnssec validation failures | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | RPM Packages | Assignee: | Guillaume Rousse <guillomovitch> |
| Status: | NEW --- | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | marja11 |
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | bind-9.11.31-1.1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2021-11-22 21:49:49 CET
(In reply to David Walser from comment #0) > I just rebooted my home server today for the first time since August. > Updates had been installed on it daily as they were released. The last bind > update was in June, so bind hadn't been restarted since the last reboot, but > also hadn't been updated. > > My bind instance has a local domain for my LAN configured but also acts as a > caching resolver for DNS on the internet via forwarders to my ISP's DNS > servers. Upon this morning's reboot, the latter functionality no longer > worked. > > There were lots of errors in the journal from named. One type was "network > unreachable resolving " with various domains and record types, which > apparently is an IPv6 issue. I Googled and found some ways to disable IPv6 > to work around that, but that didn't resolve the issue. > > Another error I saw a lot of is "no valid RRSIG resolving " with various > domains and record types as well. Googling led me to this: > https://forums.opensuse.org/showthread.php/553041-configuring-named-Works- > only-with-local-names-but-returns-SERVFAIL-with-global-names > > and the key was to change: > dnssec-validation auto; > to: > dnssec-validation no; > in /etc/named.conf, and that fixed the issue and DNS worked again. So, > something changed in the last few months, and it wasn't actually in the bind > package, that broke this. So a bind bug that isn't in bind? Assigning to guillomovitch anyway, because I have no better idea. @ guillomovitch Can you please help to figure out what the real culprit is? Assignee:
bugsquad =>
guillomovitch I suspect a cryptographic issue, such as yet another crypto-policies update side effect. No not crypto-policies, it hasn't been updated since Mageia 8 was released. Maybe openssl 1.1.1l? Eventually, but that would be quite unusual. What about any other crypto-related configuration change on this host, with or without software update ? No, no changes were made to any configuration. Openssl was updated at the end of August and you mentioned crypto, so that's why I asked. I guess I could try 1.1.1m and see if it fixes it. If you're running the chrooted version, can you try with the non-chrooted one ? I'm not running the chrooted version. openssl 1.1.1m doesn't fix it :o( |