NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

DNSSEC vs netbsd-8/sparc?

After the recent discussion about DNSSEC suddenly not working due to
some issue with ISC keys vs signed root servers, etc., I went looking
at my own name servers to see why I never noticed a problem with them.

My primary name server normally runs NetBSD/sparc-7.2_STABLE (long
overdue for disk update to accomodate newer NetBSD plus requisite
packages).  It had all the DNSSEC options commented out, so it didn't
try to use them and worked anyway.

My backup name server ran NetBSD/amd64-8.1_STABLE (now 9.0_STABLE) and
somehow I'd never noticed that it WAS using DNSSEC and working just fine.
The "dnssec-lookaside=auto" was commented out, now removed entirely.

When I tried turning on DNSSEC on the primary name server, it could no-
longer resolve outside my own local network.  I think BIND in netbsd-7
is considered too old to properly support current DNSSEC, so I commented
those options out and it was again able to resolve external domains.

I have cloned the primary name server's file systems onto my file server
so it can netboot and run semi-disklessly and thus can boot netbsd-8,
netbsd-9 and -current rather trivially.

With the recent update of netbsd-8 to 8.2_STABLE, I updated that copy
of my NFS file system for the primary name server and was eager to try
enabling DNSSEC on it.

Alas, with those options enabled, it is still unable to resolve external
domains.  Looking at the startup log messages shows no apparent errors
(there was an issue about "/etc/rndc.key" having the wrong owner/group
but I fixed that).

'dig' reports SERVFAIL, "/var/log/message" shows complaints about:

  no valid RRSIG resolving 'domin.tld/DS/IN': <ipaddr>#53
  no valid DS resolving host.sub.domain.tld/A/IN: <ipaddr>#53
  validating host.sub.domain.tld/CNAME: bad cache hit (domain.tld/DS)
  broken trust chain resolving 'host.sub.domain.tld/A/IN': <ipaddr>#53
  query client=0xXXXXXXXX thread=0xYYYYYYYY (host.sub.domain.tld/A): query_find: unexpected error after resuming: broken trust chain

With DNSSEC disabled again, it works.

Meanwhile, the backup nameserver continues to have no problem with DNSSEC.

I'll try netbsd-9 and -current eventually, but it will take a while.

Anyone else running base-system BIND with DNSSEC enabled on sparc?

|/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net  OpenBSD            FreeBSD
| X  No HTML/proprietary data in email.   BSD just sits there and works!
|/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645

Home | Main Index | Thread Index | Old Index