[Pkg-dns-devel] Bug#693587: bind9: stop resolving

Marco d'Itri md at Linux.IT
Sun Jan 21 08:25:25 UTC 2018


Control: -1 DNSSEC validation fails on system resume

On Nov 18, Florian Weimer <fw at deneb.enyo.de> wrote:

> Is your system clock correct?
> 
> I wonder if this is a clock issue, or if BIND incorrectly marks the
> DLV servers as dead.
The clock is correct and this is not related to DLV.
Most of the times my laptop resumes some domains fail to resolve.
It is running a full non-forwarding validator.
I think that this started a few months ago.
rndc flush fixes it.

E.g.:

Jan 21 08:45:05 bongo systemd-sleep[32175]: System resumed.
[...]
Jan 21 08:45:11 bongo named[10955]:   validating it/SOA: got insecure response; parent indicates it should be secure
Jan 21 08:45:11 bongo named[10955]: message repeated 10 times: [   validating it/SOA: got insecure response; parent indicates it should be secure]
Jan 21 08:45:11 bongo named[10955]:   validating org/SOA: got insecure response; parent indicates it should be secure
Jan 21 08:45:11 bongo named[10955]:   validating it/SOA: got insecure response; parent indicates it should be secure
Jan 21 08:45:11 bongo named[10955]: validating attila.bofh.it/AAAA: bad cache hit (bofh.it/DS)
Jan 21 08:45:11 bongo named[10955]: validating attila.bofh.it/A: bad cache hit (bofh.it/DS)
Jan 21 08:45:11 bongo named[10955]:   validating bofh.it/SOA: bad cache hit (bofh.it/DS)
Jan 21 08:45:11 bongo named[10955]:   validating bofh.it/SOA: bad cache hit (bofh.it/DS)
Jan 21 08:45:11 bongo named[10955]:   validating org/SOA: got insecure response; parent indicates it should be secure
Jan 21 08:45:11 bongo named[10955]:   validating bofh.it/SOA: bad cache hit (bofh.it/DS)
Jan 21 08:45:11 bongo named[10955]:   validating bofh.it/SOA: bad cache hit (bofh.it/DS)
Jan 21 08:45:11 bongo named[10955]:   validating org/SOA: got insecure response; parent indicates it should be secure
Jan 21 08:45:11 bongo named[10955]: message repeated 3 times: [   validating org/SOA: got insecure response; parent indicates it should be secure]
Jan 21 08:45:11 bongo named[10955]: validating rss.slashdot.org/CNAME: bad cache hit (slashdot.org/DS)
Jan 21 08:45:11 bongo named[10955]: validating rss.slashdot.org/CNAME: bad cache hit (slashdot.org/DS)
Jan 21 08:45:11 bongo named[10955]:   validating bofh.it/SOA: bad cache hit (bofh.it/DS)
Jan 21 08:45:11 bongo named[10955]:   validating bofh.it/SOA: bad cache hit (bofh.it/DS)

> Is it possible that you can share the output of "rndc dumpdb"?
I will try to get on the next time.

-- 
ciao,
Marco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-dns-devel/attachments/20180121/3b2bb9bc/attachment.sig>


More information about the pkg-dns-devel mailing list