DNSSEC stops validating anything
Chris Adams
cma at cmadams.net
Wed Dec 1 15:33:13 UTC 2021
I have 3 CentOS 8 servers running Unbound (the CentOS packaged version,
1.7.3 with patches). Periodically, one of them will stop being able to
validate any DNSSEC, causing lookup failures. I haven't been able to
find any common incident or trigger that may be causing it (it'll only
happen on one at a time, but has happened at least once to each of the
three).
It starts with log entries like:
Nov 22 14:01:28 dns-cache3 unbound[1117]: [1117:0] info: validation failure . SOA IN
Then when it tries to do the RFC keytag query:
Nov 22 16:20:52 dns-cache3 unbound[1117]: [1117:0] info: generate keytag query _ta-4f66. NULL IN
Nov 22 16:20:52 dns-cache3 unbound[1117]: [1117:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 22 16:20:52 dns-cache3 unbound[1117]: [1117:0] info: generate keytag query _ta-4f66. NULL IN
And then eventually all validation fails.
It's just about the default (at least CentOS-packaged) config, with just
adjustments for the cache sizes and ACLs. The VMs are just running
unbound and keepalived (to float virtual IPs around with VRRP).
Is there any known issue that can cause this, either in Unbound itself
or external (on the VMs, the network, etc.)? I checked that the clocks
are correct. I've been running Unbound on lots of ISP servers for
years, and this is the only setup where I've had this problem.
--
Chris Adams <cma at cmadams.net>
More information about the Unbound-users
mailing list