Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

To: debian-user@lists.debian.org
Subject: Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
From: Jeremy Ardley <jeremy@ardley.org>
Date: Tue, 14 Mar 2023 06:34:41 +0800
Message-id: <[🔎] 1bc3f947-9696-20d9-7078-97ec3ddaa42c@ardley.org>
In-reply-to: <[🔎] 44493370-d84a-0d12-a3de-4d9b3daa82c0@ardley.org>
References: <[🔎] NQP2REz--B-9@tutanota.com> <[🔎] 3997a47a-10a5-0335-952b-cf834fae34c3@ardley.org> <[🔎] NQPESYE--3-9@tutanota.com> <[🔎] f881d5b7-6e9c-945d-7d6a-67cb3cfb9663@ardley.org> <[🔎] NQPOtbM--3-9@tutanota.com> <[🔎] E1pbfcm-0001Yt-SJ@enotuniq.net> <[🔎] NQPiwO3--3-9@tutanota.com> <[🔎] E1pbgfW-0001cy-8F@enotuniq.net> <[🔎] NQRXFzq--3-9@tutanota.com> <[🔎] E1pbpge-00029y-S5@enotuniq.net> <[🔎] NQS1TeZ--3-9@tutanota.com> <[🔎] 44493370-d84a-0d12-a3de-4d9b3daa82c0@ardley.org>

On 14/3/23 06:23, Jeremy Ardley wrote:

I had a signed DNS error in a similar configuration using a bind authoritive and caching server. It turned out it was systemd-resolved interfering and/or replacing part of the DNS chain

FYI systed-resolved is the inbuilt debian caching DNS server which may be enabled by default. If you run that you don't need a bind9 caching name server

What does this report ?

systemctl status systemd-resolved

If there is anything there at all, check logs. You may find something

Also FYI you can run bind9 and systemd-resolved at the same time and set bind9 to use systemd-resolved as forwarder

options {
    directory "/var/cache/bind";

    // Use systemd-resolved as a DNS resolver
    forwarders {
        127.0.0.53 port 53;
    };

    dnssec-validation auto;

    auth-nxdomain no;    # conform to RFC1035

...

Its probably a good idea to not be too keen on dnssec validation - as above.

-- 
Jeremy
(Lists)

Reply to:

References:
- Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
  - From: local10 <local10@tutanota.com>
- Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
  - From: Jeremy Ardley <jeremy@ardley.org>
- Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
  - From: local10 <local10@tutanota.com>
- Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
  - From: Jeremy Ardley <jeremy@ardley.org>
- Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
  - From: local10 <local10@tutanota.com>
- Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
  - From: Reco <recoverym4n@enotuniq.net>
- Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
  - From: local10 <local10@tutanota.com>
- Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
  - From: Reco <recoverym4n@enotuniq.net>
- Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
  - From: local10 <local10@tutanota.com>
- Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
  - From: Reco <recoverym4n@enotuniq.net>
- [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
  - From: local10 <local10@tutanota.com>
- Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
  - From: Jeremy Ardley <jeremy@ardley.org>

Prev by Date: Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
Next by Date: Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
Previous by thread: Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
Next by thread: Re: [SOLVED?] Re: BIND: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
Index(es):
- Date
- Thread