Bind : managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

General Discussion
1

Hello,

I have a problem with the configuration of my DNS server (public resolver) at the moment.
It works fine, but I have an error in the logs, a few seconds after starting bind :

managed-keys-zone: Unable to fetch DNSKEY set ‘.’: timed out

I’m running Debian 11 with BIND 9.16.50-Debian (Extended Support Version).

Here are the little things I tried:

  • I’ve updated my db.root from https://www.internic.net/domain/named.root
  • I’ve deleted the cached keys (the files do contain updated KEYDATA) : rm /var/cache/bind/managed-keys.bind*
  • netstat -tulpnW | grep 53 / ss -ntlp | grep :53 : all I have is named.
  • telnet -4 127.0.0.1 53 : connects successfully to the server.
  • dig +dnssec . DNSKEY @127.0.0.1 : flag qr rd ra ad, and compliant answers.
  • dig +dnssec . DNSKEY @a.root-servers.net : flag qr aa rd, and compliant answers.
  • All is ok in iptable.

My file /etc/bind/named.conf :

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
key rndc-key {
	algorithm hmac-sha256;
	secret "secret-key";
};
controls {
	inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};

My file /etc/bind/named.conf.options :

acl "trusted" {
	localhost;
	ip-ns-master;
	ip-ns-slave;
};
options {
	directory "/var/cache/bind";
	listen-on { 127.0.0.1; ip-ns-master; };
	listen-on-v6 { none; };
	version none;
	auth-nxdomain no;
	dnssec-validation auto;
	managed-keys-directory "/var/cache/bind";
	allow-query { any; };
	allow-recursion { trusted; };
	allow-query-cache { trusted; };
	allow-transfer { trusted; };
};

My file /etc/bind/named.conf.local (example zone) :

zone "domain.com" {
	type master;
	notify yes;
	allow-transfer { ip-ns-slave; };
	dnssec-policy none;
	file "/var/lib/bind/domain.com.hosts";
};

My file /etc/bind/named.conf.default-zones :

zone "." {
	type hint;
	file "/etc/bind/db.root";
};
[... +local ...]

My file rndc.conf :

key "rndc-key" {
	algorithm hmac-sha256;
	secret "secret-key";
};
options {
	default-key "rndc-key";
	default-server 127.0.0.1;
	default-port 953;
};

My file /etc/resolv.conf :

domain datacenter-domain
search datacenter-domain
nameserver 127.0.0.1
nameserver datacenter-nameserver-1-ip
nameserver datacenter-nameserver-2-ip

If you have any ideas on how to solve this problem, I’d be grateful.

2

I’m not good with DNS but do you have a key set?
Are you using a secondary DNS server?

image
image1439×336 64.7 KB

3

If you’re talking about DNS Keys, yes, they are defined and identical in named.conf and rndc.conf.

My datacenter provides me with a secondary dns slave server (indicated as ip-ns-slave in my conf files).

Please note that dnssec is disabled for each of my domains, this error concerns root servers (zone “.”).