[knot-dns-users] slave strange behaviour

26 Říj 2019

Hello.

I found another strange behaviour on my slave : it kept old RRSIG's for 
SOA entries.

I fixed it by running zone-purge, then zone-retransfer

; <<>> DiG 9.11.5-P1-1~bpo9+1-Debian <<>> +dnssec @87.98.180.13
caa 
www.geekwu.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12546
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 19, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;www.geekwu.org.                        IN      CAA

;; AUTHORITY SECTION:
geekwu.org.             86400   IN      SOA     ns.geekwu.org. 
hostmaster.geekwu.org. 2019101730 3600 1200 2419200 10000
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20181118054714 20181104041714 54076 geekwu.org. 
8b6lzlyI1fZUxwtCt9GHsRu1Ist1CtDFm+NifSTTESoMK3XAnW8gyZzp 
UIEmNiIRKdYnze+FsW+oEw4hm9pkW/lwgIls3tBvLKCwRseUwrj5jIbh rPK9fYuWM0RP1HBj
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20181118054719 20181104041719 54076 geekwu.org. 
uoRZZ4jV2jaubsH7W3VIpIdu9iVKYnz9q+GpNHSnEDv4Mt5JcVnLChLk 
/eeRKSK9U7h8yFSOmxdcTBIyITlbGGBeeVbZFdQYsSshpN1Fa7YME9JU ttr5tISHoPnHlM2y
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20181118054723 20181104041723 54076 geekwu.org. 
/2EY2DNqeX0GqK0eDcg3dFIqgH0346fP1XuIHM3oswRMnFMtCEDuD325 
jpqByKlOkl4Edlv/GyJlJXohrdlWyTzE2xCM6ad2ordYHu0eCO8npfEi OOPc2HhtBYQUM+TU
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20181118054727 20181104041727 54076 geekwu.org. 
OwfeorMdvR3Q4XvkSfNxruYJfcPRPIhsnDrrYk41L1gIYMRwEfapO/Te 
tza5M07CGx0rQPvFejXHRr7vzlatxvI9k9Vqrs12CR1q7ak+NVhxcM53 syCJVN/z8iKu5uYV
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20181118054731 20181104041731 54076 geekwu.org. 
DpyZ6MCWuEA025ghGRJBISd0Lp7qXWb3R27+R/+FWnIytoLrIIzgRLI5 
TEojx/k6hlbwFszH024T5CP5vQ1WXjIVyF9ZwNjseJ+skZgPx5ySzqrI R8WXgdpKYi4+SrYs
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20181118054738 20181104041738 54076 geekwu.org. 
nNr2vNwLQSlDE7UXQWxGCiTTKb3wyx5VSzhoB8W8ovkSD9EHbcAr3QuP 
cR3ICASDhnWySB4NEB7i+qncT90+JEccuxvT8fBCoMHJtMy0YjNqsTLd tOOSitLogl4h8the
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20181118054741 20181104041741 54076 geekwu.org. 
/28OcE9l7MXN9wKl2vpI5fxNpu6Ia1i4ku3V61Pix2JPKKJ4YhYG1BDw 
aBnpncgso71CiJyVz1Rsp1X50V6tGdibtP/ckRdqvl9f+W+KeCvcrcaS 8u4a5BjeqDFokrfY
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20181118054743 20181104041743 54076 geekwu.org. 
GA4eFm1u4jxa+Jhu4vWa+UoucY7OES/8bKxkaIMte0AsC7bPovWdS8Qx 
6zrrS9u1PEXS4dDy+PeCxPQFSefaPfiEY44J8JILTaf4OfiL+ij7RI2m MrN1e428veGFFfrY
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20181118054746 20181104041746 54076 geekwu.org. 
MnF6nqK/UV+Q68Lf6mV80E4FcClEARc9gclqH4jP0gaxco/DpqGhWEgG 
yKM/E8ePIPOaUyRqdoiRKfWS2xcQExhqbeS+orcUjKx04BxDbp8rpCFG lRhR+QLEO4SpTrKo
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20181118054749 20181104041749 54076 geekwu.org. 
MygQqAnclUn//WxI3gi04Fjkcim/7C4rusz0pj0RXOwl5yAQZMj5gFl7 
v5WtUdxbysOhGiiJeHHpWWepD46E2DIlpAp/vKC8hw/DGNRSk6gT6cWl UqylhEIgKrekqVb4
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20181125063021 20181111050021 54076 geekwu.org. 
h1vHar/cdzpfTbVPhP6UW11aW6pB+1sfagKMBIPDif8mDjvLOP1KsTvI 
LuAUUNHaQgcYaoYwc9MrSQ+/se6CweK80B+O7pk+GFSWfqygyHhEvHZt YOHX183eKtYyjFix
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20181125063028 20181111050028 54076 geekwu.org. 
hDTZuOOKCCWEYlWApA/g+RdSOKxfEGmttto8/BwUNYGBs/2dHziAIQlD 
y4SQh2ST1crUeHOTL7d8o+naqbt2lT7pMNqrUQy6XXYdVZ4gQ6aIjVkG Yi7kRgdG8Nksm31N
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20181213181717 20181129164717 63974 geekwu.org. 
6BspV1velFjzJQqmGejOSyV6A9NOg3n486/mAx4llB4d+S1KF3j7dzzX 
TmMalQN2QufP7NDCVaV4kmtoOgUwS/XcfAQeDJ/b5/bYNa1ERf/tV6bJ 3Z4by5PlXdqoPte5
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20190113191717 20181230174717 21289 geekwu.org. 
2+WLMBHmrc2hygRoGtZbtgxikv6aHRv5xDg07nKldKKk/oR9l2GtjpUt 
yaMtgu+x/5Uk02eCwea+Vs41wq7BfzcZlL5SNqud9vFqCWAH3izikfLL mngKO3HHBvzxmqgy
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20190213201717 20190130184717 63065 geekwu.org. 
8xL2eX4atI6Z+CxwZaF4cwGmNKXY389Qsnz9qZZkXdGcnmzYct5UVBl1 
LM0bR/e3D5ZCAhdFR8NynhUKPwCKaSgivjzKNmLunqDFUJgM/4fZFAP8 pXce50jpYXVMBmhm
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20190316211717 20190302194717 19071 geekwu.org. 
FdHJKayUYfLsXu9ct9Mfvo1nVRei8xExluWbOfD9wbe/ZDqFQKyBvWKr 
hMrdUvSgCQ52iaTWl88cdPtho8YgGXRC+qse5rzqK+9toKbFryg/jFAX 18xJSYrntilYJm1u
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20190416221717 20190402204717 14519 geekwu.org. 
kIBe1/zzEbX09gKk0R6MbAicxfoGjL1ojWvR/8oQBdld1yVtyMtLWKic 
NhkellgCaXIb7cluj/SAUQC2lr9tJxZp31oG+DhQBAG2arQAVtphxJ0p yUwD7klvUweJM49Y
geekwu.org.             86400   IN      RRSIG   SOA 14 2 86400 
20191109090028 20191026073028 47945 geekwu.org. 
9tmNQt48ZT3aTV/WkcfPpLQ3/3rpKXaDlasT9+EnRyniLrLuuHgQtRfw 
uxvJpillbGVn15uy9aoMDADV9K5DfdaNOgskK1v3QYgMpGtao+soydi/ Y9MyfDFUQNmSUIKD

Therefore, let's encrypt checks failed when querying it with
"detail": "DNS problem: SERVFAIL looking up CAA for
arrakeen.geekwu.org" 
; I guess their validating resolver did not picked the correct RRSIG, 
and failed to validate.

If you want to investigate, I have another zone which have the same 
problem, and a bit more time before certificate expiration, for which I 
can provide details, journal, etc.

Regards,

-- 
Bastien Durel

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

[knot-dns-users] slave strange behaviour