Bug 1212115 - bind (dns) dnssec or trust errors with todays homerouter (avm fritzbox) update?
Summary: bind (dns) dnssec or trust errors with todays homerouter (avm fritzbox) update?
Status: NEW
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: Network (show other bugs)
Version: Leap 15.4
Hardware: x86-64 openSUSE Leap 15.4
: P5 - None : Major (vote)
Target Milestone: ---
Assignee: Jorik Cronenberg
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-07 17:58 UTC by andreas bittner
Modified: 2023-08-10 07:38 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description andreas bittner 2023-06-07 17:58:44 UTC 
opensuse leap 15.4 normal system, no fancy stuff, uptime for many weeks, used to work normally just right before I issued a LAN home router firmware upgrade (avm fritzbox 7590, latest firmware level 7.56 of today)

i have for ages a very simple named.conf (forwarder to fritzbox via ipv4 address) and resolv.conf for 127.0.0.1

suddenly after the home router rebooted, i observed dns resolution problems, everything failed to resolve on this 15.4 machine.

the lines I see in journalctl -u named.service are right after startup of the bind

--------------

Jun 07 19:45:12 tux01 systemd[1]: Started Berkeley Internet Name Domain (DNS).
Jun 07 19:45:12 tux01 named[7052]: DNS format error from 192.168.188.1#53 resolving ./DNSKEY for <unknown>: unrelated SOA fritz.box in . authority section
Jun 07 19:45:12 tux01 named[7052]: managed-keys-zone: Unable to fetch DNSKEY set '.': ncache nxdomain
Jun 07 19:45:12 tux01 named[7052]: validating ./NS: no valid signature found
Jun 07 19:45:12 tux01 named[7052]: no valid RRSIG resolving './NS/IN': 2001:500:200::b#53
Jun 07 19:45:12 tux01 named[7052]: validating ./NS: no valid signature found
Jun 07 19:45:12 tux01 named[7052]: no valid RRSIG resolving './NS/IN': 2001:500:1::53#53
Jun 07 19:45:12 tux01 named[7052]: validating ./NS: no valid signature found
Jun 07 19:45:12 tux01 named[7052]: no valid RRSIG resolving './NS/IN': 2001:500:a8::e#53
Jun 07 19:45:12 tux01 named[7052]: validating ./NS: no valid signature found
Jun 07 19:45:12 tux01 named[7052]: no valid RRSIG resolving './NS/IN': 2001:503:ba3e::2:30#53
Jun 07 19:45:12 tux01 named[7052]: validating ./NS: no valid signature found
Jun 07 19:45:12 tux01 named[7052]: no valid RRSIG resolving './NS/IN': 2001:7fd::1#53
Jun 07 19:45:13 tux01 named[7052]: DNS format error from 192.168.188.1#53 resolving ./DNSKEY for <unknown>: unrelated SOA fritz.box in . authority section
Jun 07 19:45:13 tux01 named[7052]: DNS format error from 192.168.188.1#53 resolving box/DS for <unknown>: unrelated SOA fritz.box in box authority section
Jun 07 19:45:13 tux01 named[7052]: no valid RRSIG resolving 'box/DS/IN': 192.168.188.1#53
Jun 07 19:45:20 tux01 named[7052]: DNS format error from 192.168.188.1#53 resolving de/DS for <unknown>: unrelated SOA fritz.box in de authority section
Jun 07 19:45:22 tux01 named[7052]: resolver priming query complete

------------


i couldnt make things work again, the only idea was to disable that line from ny named.conf

        #forwarders { 192.0.2.1; 192.0.2.2; };
#       forwarders { 192.168.188.1; };



besides that, i have:
less resolv.conf
# Generated by NetworkManager
nameserver 127.0.0.1

------------


when nslookup opensuse.org 192.168.188.1    directly, the linux dns stack works fine

when nslookup (through localhost through or via nscd or how all these tings are built ontop of another?)

there are errors fails and no results.

really, the only thing changed (since the last firmware update of that fritzbox 7590 router some weeks ago) were the normal uptime autoupdate zypper stack stuff that came in the recent weeks of opensuse 15.4

Currently, when I put back in that forwarders line in the named.conf everything goes to a halt and stalls dns lookups the same.

I wonder if this is a faulty home router firmware, or something else is amiss?
thanks.
Comment 1 andreas bittner 2023-06-07 19:50:17 UTC 
I have reproduced this situation at another leap 15.4 box with a simple resolv.conf and named.conf files

as soon as I have anything in the resolv.conf that apparently diverts dns lookups to directly the fritzbox homerouter everythink works fine.

as soon as i have nothing in resolv.conf and the forwarder line in named.conf (thus forcing all the dns queries through the localhost named and that using the fritzbox homerouter as a forwarder) there are fundamental dns trouble.

server cant find opensuse.org SERVFAIL

the log / journal for named.service shows lots of kind of DNSSEC or such errors no valid RRSIG broken trust chain resolving this and that and everything.

this only staerted when I upgraded the avm homerouter (same model at this second place, fritzbox 7590, now firmware version: 7.56 released today by AVM)

prevously these two 7590 avm fritzbox homerouters have had: firmware 7.50 the only direct previous predecessor

question now remains, is this an opensuse linux problem all of a sudden manifesting a dns problem or is this an avm homerouter fritzbox trouble with their firmware 7.56 implementation?

thanks.
Comment 2 Jorik Cronenberg 2023-08-03 10:00:18 UTC 
Try setting the following in your named.conf
> dnssec-enable yes;
> dnssec-validation yes;
Comment 3 andreas bittner 2023-08-10 07:38:24 UTC 
those two lines help. cant make much sense of it yet why it actually help.s i had thought that bind was always? using dnssec when available?

anyhow these fritzbox home routers have apparently changed in their dns behaviour nevertheless.

thanks for helping.