Bind : managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

Hello,

I have a problem with the configuration of my DNS server (public resolver) at the moment.
It works fine, but I have an error in the logs, a few seconds after starting bind :

managed-keys-zone: Unable to fetch DNSKEY set ‘.’: timed out

I’m running Debian 11 with BIND 9.16.50-Debian (Extended Support Version).

Here are the little things I tried:

  • I’ve updated my db.root from https://www.internic.net/domain/named.root
  • I’ve deleted the cached keys (the files do contain updated KEYDATA) : rm /var/cache/bind/managed-keys.bind*
  • netstat -tulpnW | grep 53 / ss -ntlp | grep :53 : all I have is named.
  • telnet -4 127.0.0.1 53 : connects successfully to the server.
  • dig +dnssec . DNSKEY @127.0.0.1 : flag qr rd ra ad, and compliant answers.
  • dig +dnssec . DNSKEY @a.root-servers.net : flag qr aa rd, and compliant answers.
  • All is ok in iptable.

My file /etc/bind/named.conf :

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
key rndc-key {
	algorithm hmac-sha256;
	secret "secret-key";
};
controls {
	inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};

My file /etc/bind/named.conf.options :

acl "trusted" {
	localhost;
	ip-ns-master;
	ip-ns-slave;
};
options {
	directory "/var/cache/bind";
	listen-on { 127.0.0.1; ip-ns-master; };
	listen-on-v6 { none; };
	version none;
	auth-nxdomain no;
	dnssec-validation auto;
	managed-keys-directory "/var/cache/bind";
	allow-query { any; };
	allow-recursion { trusted; };
	allow-query-cache { trusted; };
	allow-transfer { trusted; };
};

My file /etc/bind/named.conf.local (example zone) :

zone "domain.com" {
	type master;
	notify yes;
	allow-transfer { ip-ns-slave; };
	dnssec-policy none;
	file "/var/lib/bind/domain.com.hosts";
};

My file /etc/bind/named.conf.default-zones :

zone "." {
	type hint;
	file "/etc/bind/db.root";
};
[... +local ...]

My file rndc.conf :

key "rndc-key" {
	algorithm hmac-sha256;
	secret "secret-key";
};
options {
	default-key "rndc-key";
	default-server 127.0.0.1;
	default-port 953;
};

My file /etc/resolv.conf :

domain datacenter-domain
search datacenter-domain
nameserver 127.0.0.1
nameserver datacenter-nameserver-1-ip
nameserver datacenter-nameserver-2-ip

If you have any ideas on how to solve this problem, I’d be grateful.

I’m not good with DNS but do you have a key set?
Are you using a secondary DNS server?

If you’re talking about DNS Keys, yes, they are defined and identical in named.conf and rndc.conf.

My datacenter provides me with a secondary dns slave server (indicated as ip-ns-slave in my conf files).

Please note that dnssec is disabled for each of my domains, this error concerns root servers (zone “.”).

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.