DNSSEC problems with DNS forwarders
science695 opened this issue · comments
Hello,
I am working with https://github.com/cytopia/devilbox and had everything working yesterday.
I can't find anything in today's update that could have caused this, but the bind container is giving back DNSSEC errors whenever I have a dns forwarder set:
Apr 20 19:21:03 00015d8a4ceb named[1]: broken trust chain resolving 'google.com/A/IN': 192.168.1.10#53
Apr 20 19:21:03 00015d8a4ceb named[1]: validating ./NS: no valid signature found
Apr 20 19:21:03 00015d8a4ceb named[1]: no valid RRSIG resolving './NS/IN': 192.168.1.11#53
Apr 20 19:21:03 00015d8a4ceb named[1]: validating ./NS: no valid signature found
Apr 20 19:21:03 00015d8a4ceb named[1]: no valid RRSIG resolving './NS/IN': 199.7.91.13#53
Apr 20 19:21:03 00015d8a4ceb named[1]: validating ./NS: no valid signature found
I have gone into the container, and turned off dnssec verification and that seems to make it work.
echo " dnssec-validation off;"
docker-bind/scripts/docker-entrypoint.sh
Line 188 in 1c1b3c7
If you know of anything that may have changed, that would be helpful.
Or if we could add an ENV variable to turn off DNSSEC validation?
Do you have any other ideas on how this could be resolved?
Thanks!
Actually, this may be caused by rebuilding the devilbox cluster with only:
docker-compose down docker-compose start
rather than including
docker-compose rm
Nevermind that.
This issue is still going on, but its very hard to debug with dns cache, etc....
@science695 thanks for reporting this issue. I think making it an env var is a reasonable solution and have it turned off by default.
@science695 can you try the new image and let me know if this resolves your issues:
#8
Fixed in the new version.