Set dnssec negative trust anchors

openstreetmap / chef

Chef configuration management repo for configuring & maintaining the OpenStreetMap servers.

Apache License 2.0

102 stars 67 forks source link

Set dnssec negative trust anchors #665

Closed Firefishy closed 7 months ago

Firefishy commented 7 months ago

Set DNSSSEC negative trust anchors.

geo.openstreetmap.org because systemd-resolved in Ubuntu 22.04 seems to occasionally get confused if this zone is DNSSEC signed and resolving domains in this zone fail (eg: nominatim.geo.openstreetamp.org). Might be related to upstream DNS server features.
10.in-addr.arpa unsigned local zone.
internal used by containers.

Firefishy commented 7 months ago

For reference systemd-resolved has a default negative list if none is specified:

10.in-addr.arpa 16.172.in-addr.arpa 168.192.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa corp d.f.ip6.arpa home home.arpa internal intranet lan local private test

Firefishy commented 7 months ago

Added in the default NTAs.

Firefishy commented 7 months ago

I am closing this PR. It appears the issue we had a few days back is a bit more complex. On gateway instances we have bind9 / named running a DNS server. When DNS stopped working restarting JUST named on the gateway fixed the issue.

Somehow the DNSSEC was failing for openstreetmap.org and not the geo.openstreetmap.org zone. There belief is something was likely broken with named cache or similar.