BIND : DLV : Unable to resolve domains with "RRSIG has expired" error
Issue
- DNS server became unable to resolve domains on March 25 or March 26, 2020.
- The problem disappeared after a while.
-
Following message was observed in the log.
-
Example 1
validating @0xXXXXXXXXXXXX: dlv.isc.org NSEC: verify failed due to bad signature (keyid=xxxxx): RRSIG has expired
- Example 2
validating @0xXXXXXXXXXXXX: dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=xxxxx): RRSIG has expired
- Example 3
validating @0xXXXXXXXXXXXX: domain.example.com A: bad cache hit (domain.example.com.dlv.isc.org/DLV)
Environment
- Red Hat Enterprise Linux 6
- BIND 9.8.2-0
- named.conf has the following configuration.
dnssec-lookaside auto;
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.