[opensuse] 15.2: simple local bind resolver does not resolve anything any more?
Apparently there was some bind (named) update last night or yesterday. Today my internet and routing works fine on 15.2, but a locally installed named (bind) does not resolve anything any more. I actually use it only in a very simple way, no zones defined or anything, just a kind of cache or resolver that talks to the root nameservers and going down the tree of nameservers to look up dns entries. journalctl -u named.service constantly shows messages about no valid RRSIG ... no valid signature found. I can not nslookup anything using this bind on 127.0.0.1 I suppose this has something got to do with DNSSEC or such stuff? how come a simple security update or patch suddenly activates such a harsh feature midstream in 15.2? or are some root anchors or whatever such stuff missing from the opensuse leap 15.2 update/patch package missing or something? I can nslookup fine using the ip address of my local broadband router of the ISP i use or with the help of outside resolvers/forwarders e.g. dns.google. or such services in the public. any quick remedy? thanks lots. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, On Tue, Oct 20, 2020 at 02:29:39PM +0200, cagsm wrote:
Apparently there was some bind (named) update last night or yesterday. Today my internet and routing works fine on 15.2, but a locally installed named (bind) does not resolve anything any more.
I actually use it only in a very simple way, no zones defined or anything, just a kind of cache or resolver that talks to the root nameservers and going down the tree of nameservers to look up dns entries.
journalctl -u named.service
constantly shows messages about no valid RRSIG ... no valid signature found.
I can not nslookup anything using this bind on 127.0.0.1 I suppose this has something got to do with DNSSEC or such stuff? how come a simple security update or patch suddenly activates such a harsh feature midstream in 15.2? or are some root anchors or whatever such stuff missing from the opensuse leap 15.2 update/patch package missing or something?
I can nslookup fine using the ip address of my local broadband router of the ISP i use or with the help of outside resolvers/forwarders e.g. dns.google. or such services in the public.
any quick remedy? thanks lots.
We updated bind as we had a lot of requests for a modern version. :/ The last bind update currently enforces DNSSEC usage. try in. /etc/named.conf dnssec-enable no; Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Oct 20, 2020 at 2:42 PM Marcus Meissner <meissner@suse.de> wrote:
We updated bind as we had a lot of requests for a modern version. :/ The last bind update currently enforces DNSSEC usage. try in. /etc/named.conf dnssec-enable no;
Thank you. I actually did set that line and the dnssec-validation no; right now. The bind now works again. Maybe I am a total noob, but I wasnt using any forwarders settings or forwarders first at all, and I had thought dnssec so far as some option, how come "all" the domains and lookups I tried always ended with an error or srvfail (nslookup) as a result. Shouldnt dnssec work when domains actually dont use it? and dont the large and populare gTLD and other TLD use dnssec? Everything simple failed and the journalctl was full of those errors. Am i missing something? thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 2020-10-20 at 14:42 +0200, Marcus Meissner wrote:
Hi,
On Tue, Oct 20, 2020 at 02:29:39PM +0200, cagsm wrote:
Apparently there was some bind (named) update last night or yesterday. Today my internet and routing works fine on 15.2, but a locally installed named (bind) does not resolve anything any more.
I actually use it only in a very simple way, no zones defined or anything, just a kind of cache or resolver that talks to the root nameservers and going down the tree of nameservers to look up dns entries.
journalctl -u named.service
constantly shows messages about no valid RRSIG ... no valid signature found.
I can not nslookup anything using this bind on 127.0.0.1 I suppose this has something got to do with DNSSEC or such stuff? how come a simple security update or patch suddenly activates such a harsh feature midstream in 15.2? or are some root anchors or whatever such stuff missing from the opensuse leap 15.2 update/patch package missing or something?
I can nslookup fine using the ip address of my local broadband router of the ISP i use or with the help of outside resolvers/forwarders e.g. dns.google. or such services in the public.
any quick remedy? thanks lots.
We updated bind as we had a lot of requests for a modern version. :/
The last bind update currently enforces DNSSEC usage.
try in.
/etc/named.conf
dnssec-enable no;
Ciao, Marcus
I don't think that dnssec-enable works anymore. This works for me on my Ubuntu 20.04 server /etc/bind/named.conf.options dnssec-validation no; Mark -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Oct 20, 2020 at 3:01 PM Mark Petersen <mark.petersen@markofall.com> wrote:
I don't think that dnssec-enable works anymore. This works for me on my Ubuntu 20.04 server /etc/bind/named.conf.options dnssec-validation no;
anyone cares to explain how this DNSSEC stuff ought to work actually? maybe i am missing something paramount here. to me it looks like the whole dns lookups become disabled. how is this supposed to work? dnssec must handle servers zones replies etc that dont have dnssec features, must it not? is there only to completely turn it on or off and every zone and server out there then needs to support it? how does it work for anyone at all then if this would be true? i have some serious lack of understanding, sorry :(( -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 2020-10-20 14:42, schrieb Marcus Meissner:
We updated bind as we had a lot of requests for a modern version. :/
The last bind update currently enforces DNSSEC usage.
try in.
/etc/named.conf
dnssec-enable no;
Thanks for dropping something like that on us unannounced. It actually breaks, as soon as you have a forwarder set up. See https://bugzilla.opensuse.org/show_bug.cgi?id=1177915 One would think that a change of this magnitude that has the potential to break a LOT of systems, and I mean whole networks, should happen in the next major release, not in an unannounced updated in the middle of a minor version's lifecycle. Cheers Mathias -- Mathias Homann Mathias.Homann@openSUSE.org telegram: https://telegram.me/lemmy98 irc: [lemmy] on freenode and ircnet obs: lemmy04 gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
On 10/20/20 7:29 AM, cagsm wrote:
I can not nslookup anything using this bind on 127.0.0.1 I suppose this has something got to do with DNSSEC or such stuff? how come a simple security update or patch suddenly activates such a harsh feature midstream in 15.2? or are some root anchors or whatever such stuff missing from the opensuse leap 15.2 update/patch package missing or something?
I can nslookup fine using the ip address of my local broadband router of the ISP i use or with the help of outside resolvers/forwarders e.g. dns.google. or such services in the public.
any quick remedy? thanks lots.
Well, you need to generate your tsig keys so dhcp can provide dynamic updates to your bind zone files. I have some notes on it somewhere. It hasn't changed in ages -- so there may be something else going on. Now if there was a new named.conf file that changes the criteria and requirements for RRSET (record resets, etc...) then that may be another area. Late here and I have a meeting in the morning, I'll check after that. In the mean time show the output from journalctl -u named and if used journalctl -u dhcp4 (and 6 if you use it) -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
cagsm -
David C. Rankin -
Marcus Meissner -
Mark Petersen -
Mathias Homann