27 Lis
2023
27 Lis
'23
12:52
Hi colleagues,
we are using knot-resolver as anycast resolvers for our region wide network. Everything
works fine, but from saturday we are experiencing problems with zone .cz on one of our
resolvers:
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [plan ][00000.00] plan
'www.seznam.cz.' type 'AAAA' uid [20220.00]
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [iterat][20220.00]
'www.seznam.cz.' type 'AAAA' new uid was assigned .01, parent uid .00
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => skipping
exact RR: rank 060 (min. 030), new TTL -16225
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => trying zone:
seznam.cz., NSEC3, hash db928b48
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3 depth
1: hash 0sil3tll31qpi1iq50o2h3kjrmon169q
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3
encloser error for www.seznam.cz.: range search found stale or insecure entry
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3 depth
0: hash lg5rgspgqdoqqjko0u7fkpkakk8hgc1s
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3
encloser error for seznam.cz.: range search found stale or insecure entry
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => trying zone:
seznam.cz., NSEC3, hash f8ba757c
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3 depth
1: hash s92e2vuk6k14pvqp4ubga1im9kpgff8a
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3
encloser error for www.seznam.cz.: range search found stale or insecure entry
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3 depth
0: hash 07u4nbhjigung96jklsqvtf6crqjojp8
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3
encloser error for seznam.cz.: range search found stale or insecure entry
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [zoncut][20220.01] found cut: cz.
(rank 002 return codes: DS 0, DNSKEY -116)
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [plan ][20220.01] plan 'cz.'
type 'DNSKEY' uid [20220.02]
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [iterat][20220.02] 'cz.'
type 'DNSKEY' new uid was assigned .03, parent uid .01
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.03] => skipping
exact RR: rank 060 (min. 030), new TTL -14979
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.03] => trying
zone: cz., NSEC3, hash 20b5ab23
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.03] => NSEC3 depth
0: hash gurgi3ems8m3ts3pvppubu3hhqkivt3l
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.03] => NSEC3
encloser error for cz.: range search found stale or insecure entry
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.03] => skipping
zone: cz., NSEC, hash 0;new TTL -123456789, ret -2
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [select][20220.03] => id:
'03706' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6;
force_resolve: 0; NO6: IPv6 is OK
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [select][20220.03] => id:
'03706' no suitable transport, zone cut: 'cz.'
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [iterat][20220.03] 'cz.'
type 'DNSKEY' new uid was assigned .04, parent uid .01
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [select][20220.04] => id:
'28359' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6;
force_resolve: 0; NO6: IPv6 is OK
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [select][20220.04] => id:
'28359' no suitable transport, zone cut: 'cz.'
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [resolv][20220.04] AD: request NOT
classified as SECURE
lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [resolv][20220.01] finished in state:
8, queries: 1, mempool: 16400 B
Version of knot-resolver: 5.7.0-cznic.1
When i turn off DNSSEC with trust_anchors.remove('.') and then turn it on
everything works, but only for day or so.
Other machines are working seamlessly. What we are doing here wrong?
Thank you!
--
Best regards
Bc. Martin Doubrava
CEO
_______________________________
DOUBRAVA.NET s.r.o.
Náklo 178, 783 32 Náklo
Mobil: +420 771 280 361
Technická podpora: +420 776 778 173
Office: +420 588 884 000
E-mail: martin(a)doubrava.net
WWW: http://www.doubrava.net
Najdete nás i na facebooku: http://www.facebook.com/doubravanet