Issues with DNSSEC latest few days

solor · February 4, 2020, 12:32pm

Hello,

Im using local recursor for my network (BIND) and have set it to forward mode to Cloudflare DNS server (using both IPv4 and IPv6). I also have dnssec validation turned on and last few days i have major problems with cloudflare dns. Right after flushing local resolver and trying to do some requests…

04-Feb-2020 13:02:45.178 general: info: received control channel command 'flush'
04-Feb-2020 13:02:45.179 general: info: flushing caches in all views succeeded
04-Feb-2020 13:02:57.891 dnssec: info: validating arpa/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:02:57.922 dnssec: info: validating arpa/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:02:57.936 dnssec: info: validating arpa/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:02:57.965 dnssec: info: validating arpa/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:02:57.973 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:57.980 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.028 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.807 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.836 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.842 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.853 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.865 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.894 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:59.026 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:59.105 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:59.631 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:00.401 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:00.916 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:02.020 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:02.580 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:03.038 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:03.191 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:03.800 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:03.807 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.489 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.501 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.512 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.543 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.572 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.583 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:05.063 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:05.554 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:12.480 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:25.724 dnssec: info: validating ntp.se/A: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.733 dnssec: info: validating ntp.se/A: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.809 dnssec: info: validating ntp.se/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.817 dnssec: info: validating ntp.se/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.866 dnssec: info: validating ntp.se/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.911 dnssec: info: validating ntp.se/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:31.217 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:44.155 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:45.943 dnssec: info: validating dash.cloudflare.com/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:45.961 dnssec: info: validating dash.cloudflare.com/A: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:45.992 dnssec: info: validating dash.cloudflare.com/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:46.000 dnssec: info: validating dash.cloudflare.com/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:47.328 dnssec: info: validating dev/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:04:07.738 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:04:35.668 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:05:10.903 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:05:24.419 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)

This is going on for last 4-5 days… every day there are more errors for more domains… went thru logs and it seems this is where it started (logs from 28th & 30th only):

28-Jan-2020 20:33:47.532 dnssec: info:   validating one/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 06:51:08.446 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:02.833 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:02.837 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:03.604 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:03.891 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:03.895 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:50:47.412 dnssec: info:   validating am/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:50:47.417 dnssec: info:   validating am/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 09:18:24.840 dnssec: info: validating mobi/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 09:48:07.246 dnssec: info:   validating lt/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:10:40.144 dnssec: info: validating aco.net/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 16:10:40.289 dnssec: info:   validating aco.net/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:10:40.658 dnssec: info: validating ts2.aco.net/A: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:43.357 dnssec: info:   validating 4.1.1.0.0.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:45.232 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:45.773 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:46.144 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:46.735 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:47.875 dnssec: info:   validating 6.0.1.0.0.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:48.203 dnssec: info:   validating 6.0.1.0.0.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:48.977 dnssec: info: validating 6.0.1.0.0.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:49.568 dnssec: info:   validating 6.0.1.0.0.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:50.908 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:51.653 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:36:17.298 dnssec: info: validating app.uriports.com/A: got insecure response; parent indicates it should be secure
30-Jan-2020 17:04:25.562 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 17:04:25.632 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 17:04:25.635 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:10.734 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:10.738 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:13.504 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:13.978 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:14.550 dnssec: info: validating aco.net/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:14.867 dnssec: info:   validating aco.net/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:14.935 dnssec: info:   validating aco.net/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:15.022 dnssec: info: validating ts2.aco.net/AAAA: got insecure response; parent indicates it should be secure
30-Jan-2020 18:26:03.898 dnssec: info:   validating guru/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 18:26:03.943 dnssec: info:   validating guru/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 18:26:04.061 dnssec: info: validating guru/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 18:26:04.065 dnssec: info: validating guru/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 19:01:46.245 dnssec: info: validating mobi/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 19:04:11.574 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 19:04:11.998 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 19:04:14.120 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 19:05:42.872 dnssec: info: validating aco.net/AAAA: got insecure response; parent indicates it should be secure
30-Jan-2020 19:14:25.010 dnssec: info: validating t-2.com/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 19:52:26.501 dnssec: info:   validating sc/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 20:20:55.464 dnssec: info:   validating in/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:07:12.520 dnssec: info:   validating rootonline.de/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:07:12.582 dnssec: info: validating rootonline.de/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 21:07:12.687 dnssec: info: validating viewer-geolocation.twitch-ext.rootonline.de/AAAA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:30:01.495 dnssec: info:   validating promo/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:30:01.625 dnssec: info:   validating promo/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:30:02.121 dnssec: info: validating promo/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 21:30:02.513 dnssec: info: validating promo/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 22:49:42.586 dnssec: info: validating agency/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 23:10:29.451 dnssec: info:   validating 143.221.in-addr.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:05.352 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:06.167 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:06.171 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:06.376 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:08.698 dnssec: info: validating 150.in-addr.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.766 dnssec: info:   validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.829 dnssec: info:   validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.982 dnssec: info:   validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.990 dnssec: info:   validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.998 dnssec: info:   validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:46:42.503 dnssec: info:   validating instant-gaming.com/SOA: got insecure response; parent indicates it should be secure

and if this helps, DNS over IPv4 uses Zagreb,Croatia datacenter and IPv6 uses Austrian one.

solor · February 4, 2020, 6:07pm

Also changing it to google DNS fixes issue and/or turning dnssec validation off (but this is not the point)… i really find it interesting there is in general so many problems with dnssec still this days… if some random page doesnt work for few days, check dns server logs, because its a good chance you will find something wrong with resolving it (or is resolving very slowly)… honestly, in last year when dnssec is more adopted, there was few times i was asking my self if i should just turn off dnssec validation, because if admins are not putting effort in keeping it up, whats the point? expired keys, KSK is top domain, but no dnssec in subdomain and things like that… not maintained dnssec literally breaks internet, thats why most ISPs in my country have it turned off… sad thing is, KSKs “should” be rolled over every few years (the part you maybe need to “bother” someone else with) and ZSKs, you can roll over every couple of months if you have access to DNS servers automatically… if i can do it for my worthless home domain, then why admins that are paid for doing things like that cant do it for way more important domains…