I just rebooted my home server today for the first time since August. Updates had been installed on it daily as they were released. The last bind update was in June, so bind hadn't been restarted since the last reboot, but also hadn't been updated. My bind instance has a local domain for my LAN configured but also acts as a caching resolver for DNS on the internet via forwarders to my ISP's DNS servers. Upon this morning's reboot, the latter functionality no longer worked. There were lots of errors in the journal from named. One type was "network unreachable resolving " with various domains and record types, which apparently is an IPv6 issue. I Googled and found some ways to disable IPv6 to work around that, but that didn't resolve the issue. Another error I saw a lot of is "no valid RRSIG resolving " with various domains and record types as well. Googling led me to this: https://forums.opensuse.org/showthread.php/553041-configuring-named-Works-only-with-local-names-but-returns-SERVFAIL-with-global-names and the key was to change: dnssec-validation auto; to: dnssec-validation no; in /etc/named.conf, and that fixed the issue and DNS worked again. So, something changed in the last few months, and it wasn't actually in the bind package, that broke this.
(In reply to David Walser from comment #0) > I just rebooted my home server today for the first time since August. > Updates had been installed on it daily as they were released. The last bind > update was in June, so bind hadn't been restarted since the last reboot, but > also hadn't been updated. > > My bind instance has a local domain for my LAN configured but also acts as a > caching resolver for DNS on the internet via forwarders to my ISP's DNS > servers. Upon this morning's reboot, the latter functionality no longer > worked. > > There were lots of errors in the journal from named. One type was "network > unreachable resolving " with various domains and record types, which > apparently is an IPv6 issue. I Googled and found some ways to disable IPv6 > to work around that, but that didn't resolve the issue. > > Another error I saw a lot of is "no valid RRSIG resolving " with various > domains and record types as well. Googling led me to this: > https://forums.opensuse.org/showthread.php/553041-configuring-named-Works- > only-with-local-names-but-returns-SERVFAIL-with-global-names > > and the key was to change: > dnssec-validation auto; > to: > dnssec-validation no; > in /etc/named.conf, and that fixed the issue and DNS worked again. So, > something changed in the last few months, and it wasn't actually in the bind > package, that broke this. So a bind bug that isn't in bind? Assigning to guillomovitch anyway, because I have no better idea. @ guillomovitch Can you please help to figure out what the real culprit is?
Assignee: bugsquad => guillomovitchCC: (none) => marja11
I suspect a cryptographic issue, such as yet another crypto-policies update side effect.
No not crypto-policies, it hasn't been updated since Mageia 8 was released. Maybe openssl 1.1.1l?
Eventually, but that would be quite unusual. What about any other crypto-related configuration change on this host, with or without software update ?
No, no changes were made to any configuration. Openssl was updated at the end of August and you mentioned crypto, so that's why I asked. I guess I could try 1.1.1m and see if it fixes it.
If you're running the chrooted version, can you try with the non-chrooted one ?
I'm not running the chrooted version. openssl 1.1.1m doesn't fix it :o(