If BIND is configured as resolver with forwarders then sometimes it falls into always-SERVFAIL state.
25-May-2021 23:54:57.444 info: client @0x7f54b0000cc8 ::1#45442 (localhost6): query failed (SERVFAIL) for localhost6/IN/AAAA at ../../../lib/ns/query.c:6648 25-May-2021 23:55:58.293 info: client @0x7f54ac0dbe08 172.19.0.2#35931 (mirrors.fedoraproject.org): query failed (broken trust chain) for mirrors.fedoraproject.org/IN/AAAA at ../../../lib/ns/query.c:7360 25-May-2021 23:55:58.293 info: client @0x7f54ac055a88 172.19.0.2#35931 (mirrors.fedoraproject.org): query failed (broken trust chain) for mirrors.fedoraproject.org/IN/A at ../../../lib/ns/query.c:7360 25-May-2021 23:55:58.293 info: client @0x7f54ac055a88 172.19.0.2#35931 (mirrors.fedoraproject.org): query failed (SERVFAIL) for mirrors.fedoraproject.org/IN/A at ../../../lib/ns/query.c:6648 25-May-2021 23:55:58.293 info: client @0x7f54ac0dbe08 172.19.0.2#35931 (mirrors.fedoraproject.org): query failed (SERVFAIL) for mirrors.fedoraproject.org/IN/AAAA at ../../../lib/ns/query.c:6648
dnssec logs:
25-May-2021 23:52:07.772 warning: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out 25-May-2021 23:52:35.292 info: managed-keys-zone: DNSKEY set for zone '.' could not be verified with current keys
For example, this results in dnf fails to install packages:
dnf
2021-05-25T23:55:59.2949188Z 1 [2021-05-25 23:55:58] [ipatests.pytest_ipa.integration.host.Host.client1.cmd94] Fedora 34 - x86_64 0.0 B/s | 0 B 00:00 2021-05-25T23:55:59.2950461Z 1 [2021-05-25 23:55:58] [ipatests.pytest_ipa.integration.host.Host.client1.cmd94] Errors during downloading metadata for repository 'fedora': 2021-05-25T23:55:59.2951989Z 1 [2021-05-25 23:55:58] [ipatests.pytest_ipa.integration.host.Host.client1.cmd94] - Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64 [Could not resolve host: mirrors.fedoraproject.org] 2021-05-25T23:55:59.2953998Z 1 [2021-05-25 23:55:58] [ipatests.pytest_ipa.integration.host.Host.client1.cmd94] Error: Failed to download metadata for repo 'fedora': Cannot prepare internal mirrorlist: Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64 [Could not resolve host: mirrors.fedoraproject.org] 2021-05-25T23:55:59.2955484Z 1 [2021-05-25 23:55:58] [ipatests.pytest_ipa.integration.host.Host.client1.cmd94] Could not install OpenSC package 2021-05-25T23:55:59.2956395Z 1 [2021-05-25 23:55:58] [ipatests.pytest_ipa.integration.host.Host.client1.cmd94] Exit code: 1 2021-05-25T23:55:59.2957493Z 1 [2021-05-25 23:55:58] [ipatests.pytest_ipa.integration.host.Host.client1.cmd94] stderr: Errors during downloading metadata for repository 'fedora': 2021-05-25T23:55:59.2958818Z 1 [2021-05-25 23:55:58] - Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64 [Could not resolve host: mirrors.fedoraproject.org] 2021-05-25T23:55:59.2960491Z 1 [2021-05-25 23:55:58] Error: Failed to download metadata for repo 'fedora': Cannot prepare internal mirrorlist: Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-34&arch=x86_64 [Could not resolve host: mirrors.fedoraproject.org] 2021-05-25T23:55:59.2961658Z 1 [2021-05-25 23:55:58] Could not install OpenSC package
It was turned out that it is BIND's 9.16 bug: https://gitlab.isc.org/isc-projects/bind9/-/issues/2728
Upstream bind9 issue is fixed and will be part of bind 9.16.19.
master:
ipa-4-9:
ipa-4-8:
Login to comment on this ticket.