DNSSEC vs netbsd-8/sparc?

To: netbsd-users%NetBSD.org@localhost
Subject: DNSSEC vs netbsd-8/sparc?
From: "John D. Baker" <jdbaker%consolidated.net@localhost>
Date: Thu, 16 Apr 2020 17:45:52 -0500 (CDT)

After the recent discussion about DNSSEC suddenly not working due to
some issue with ISC keys vs signed root servers, etc., I went looking
at my own name servers to see why I never noticed a problem with them.

My primary name server normally runs NetBSD/sparc-7.2_STABLE (long
overdue for disk update to accomodate newer NetBSD plus requisite
packages). It had all the DNSSEC options commented out, so it didn't
try to use them and worked anyway.

My backup name server ran NetBSD/amd64-8.1_STABLE (now 9.0_STABLE) and
somehow I'd never noticed that it WAS using DNSSEC and working just fine.
The "dnssec-lookaside=auto" was commented out, now removed entirely.

When I tried turning on DNSSEC on the primary name server, it could no-
longer resolve outside my own local network. I think BIND in netbsd-7
is considered too old to properly support current DNSSEC, so I commented
those options out and it was again able to resolve external domains.

I have cloned the primary name server's file systems onto my file server
so it can netboot and run semi-disklessly and thus can boot netbsd-8,
netbsd-9 and -current rather trivially.

With the recent update of netbsd-8 to 8.2_STABLE, I updated that copy
of my NFS file system for the primary name server and was eager to try
enabling DNSSEC on it.

Alas, with those options enabled, it is still unable to resolve external
domains. Looking at the startup log messages shows no apparent errors
(there was an issue about "/etc/rndc.key" having the wrong owner/group
but I fixed that).

'dig' reports SERVFAIL, "/var/log/message" shows complaints about:

no valid RRSIG resolving 'domin.tld/DS/IN': <ipaddr>#53
no valid DS resolving host.sub.domain.tld/A/IN: <ipaddr>#53
validating host.sub.domain.tld/CNAME: bad cache hit (domain.tld/DS)
broken trust chain resolving 'host.sub.domain.tld/A/IN': <ipaddr>#53
query client=0xXXXXXXXX thread=0xYYYYYYYY (host.sub.domain.tld/A): query_find: unexpected error after resuming: broken trust chain

With DNSSEC disabled again, it works.

Meanwhile, the backup nameserver continues to have no problem with DNSSEC.

I'll try netbsd-9 and -current eventually, but it will take a while.

Anyone else running base-system BIND with DNSSEC enabled on sparc?

--
|/"\ John D. Baker, KN5UKS NetBSD Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net OpenBSD FreeBSD
| X No HTML/proprietary data in email. BSD just sits there and works!
|/ \ GPGkeyID: D703 4A7E 479F 63F8 D3F4 BD99 9572 8F23 E4AD 1645

Follow-Ups:
- Re: DNSSEC vs netbsd-8/sparc?
  - From: Havard Eidnes
- Re: DNSSEC vs netbsd-8/sparc?
  - From: John D. Baker

Prev by Date: Re: How to set font size of xterm
Next by Date: Re: DNSSEC vs netbsd-8/sparc?
Previous by Thread: Re: Will windows 10 load after installing netbsd?
Next by Thread: Re: DNSSEC vs netbsd-8/sparc?
Indexes:

Home | Main Index | Thread Index | Old Index