Bind9: DNS resolution temporary lost

I'm here to ask informations regarding a problem I resolved, but without understanding how.

Today, my home DNS server (9.10.3-P4-Raspbian) serving the different machines at home, suddenly stopped working.

I could, from this server run the following without problem:

ping 8.8.8.8

and even:

telnet 8.8.8.8 53

However, a simple:

host google.fr

led to the answer:

Trying "google.fr"
;; connection timed out; no servers could be reached

I tried restarting Bind to no avail.

Setting manually an external resolver in /etc/resolv.conf made the resolution working again, so it was clearly a bind problem.

Here comes the weird part. Here is my

acl goodclients {
    192.0.0.0/24;
    localhost;
    localnets;
};

options {
        directory "/var/cache/bind";
        dnssec-enable yes;
        dnssec-lookaside auto;
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035                                                                                                                                            
        listen-on-v6 { any; };

        recursion yes;
        allow-query { goodclients; };
};

I found a few errors in the dnssec-related logs:

validating dlv.isc.org/SOA: verify failed due to bad signature (keyid=64263): RRSIG has expired

So I tried disabling all DNSSEC-related parameters, like so:

# dnssec-enable yes;
# dnssec-lookaside auto;
# dnssec-validation auto;

Restarting Bind afterwards led to a correct resolution. So I thought it was coming from these parameters. I therefore decided to uncomment them one by one to understand. After each time I uncommented a parameter, I restarted Bind.

It kept woking after each restart, event after I have uncommented everything.

So I'm now in the weird situation where everything is working as before, with exactly the same configuration. It is as if the simple fact to to have changed, then rolled back the configuration solved the problem.

I'd like to understand what happened, so I'm asking to the wise around here: Did anyone ever met such a situation?

Thanks in advance.


Solution 1:

This is the cause: https://lists.isc.org/pipermail/bind-users/2020-March/102822.html

Set your dnssec-lookaside to "no".