DNSSEC problems on sparc?

To: netbsd-users%NetBSD.org@localhost
Subject: DNSSEC problems on sparc?
From: "John D. Baker" <jdbaker%mylinuxisp.com@localhost>
Date: Wed, 25 Mar 2015 05:00:40 -0500 (CDT)

Recently, after updating my primary DNS server, I noticed that it would
not answer recursive queries, returning SERVFAIL. It answers queries
about the local domain just fine.

"/var/log/messages" is filled with log entries like:

Mar 25 04:27:43 david named[2699]: no valid RRSIG resolving 'steampowered.com/DS/IN': 192.55.83.30#53
Mar 25 04:27:43 david named[2699]: no valid DS resolving 'repo.steampowered.com/A/IN': 23.61.199.67#53
Mar 25 04:27:43 david named[2699]: validating repo.steampowered.com/CNAME: bad cache hit (steampowered.com/DS)
Mar 25 04:27:43 david named[2699]: broken trust chain resolving 'repo.steampowered.com/A/IN': 184.85.248.67#53

I commented out the "dnssec" lines from the options section of my
"named.conf" file and restarted named. It would then answer recursive
queries.

The primary name server runs NetBSD/sparc-7.0_BETA. I attached 'ktruss'
to the process and noticed a number of reads of file descriptors (sockets?)
that ended with "ENOENT" indicating that whatever file it wanted didn't
exist or "EAGAIN" indicating a temporary resource shortage. Also some
"recvfrom()" and "sendto()" calls with the same result.

There was one anomaly I could see. As I run my 'named' chrooted, the
"/etc/rndc.key" is a symlink pointing to the relocated file in the chroot
directory. Somehow the file had been removed, resulting in a broken
link. This caused '/etc/rc.d/named' to try to regenerate the file, but
'rndc-confgen' would claim it already existed. Removing the symlink
and restarting regenerated the file and relocated it properly.

Unfortunately, this didn't solve the problem.

My backup name server runs NetBSD/amd64-7.0_BETA and it answers recursive
queries with DNSSEC enabled.

(The sparc machine's disk is in need of replacement, but I haven't been
able to do so yet. I have a suspicion that the issue is a library in
a bad spot on the disk. I would expect kernel messages about that, but
there haven't been any.)

--
|/"\ John D. Baker, KN5UKS NetBSD Darwin/MacOS X
|\ / jdbaker[snail]mylinuxisp[flyspeck]com OpenBSD FreeBSD
| X No HTML/proprietary data in email. BSD just sits there and works!
|/ \ GPGkeyID: D703 4A7E 479F 63F8 D3F4 BD99 9572 8F23 E4AD 1645

Prev by Date: Re: SCP file transfer speed
Next by Date: No Console Output - 6.5.1 HVM domU
Previous by Thread: SCP file transfer speed
Next by Thread: No Console Output - 6.5.1 HVM domU
Indexes:

Home | Main Index | Thread Index | Old Index