BIND’s DNSSEC validation is failing for records served by your Kubernetes cluster when ExternalDNS is configured to use BIND as its provider.
Here’s why this is happening and how to fix it:
Common Causes and Fixes
-
BIND’s
dnssec-enable yes;is missing ordnssec-validation auto;is not set correctly.- Diagnosis: Check your
named.confor zone configuration files fordnssec-enable yes;anddnssec-validation auto;. If they’re absent or set tono, this is likely the issue. - Fix: Ensure
dnssec-enable yes;is present in your global options anddnssec-validation auto;is set.options { directory "/var/cache/bind"; recursion yes; dnssec-enable yes; // Enable DNSSEC globally dnssec-validation auto; // Enable automatic DNSSEC validation listen-on { any; }; }; - Why it works: This tells BIND to actively perform DNSSEC validation for all zones it queries, including those ExternalDNS is managing.
- Diagnosis: Check your
-
ExternalDNS is not configured to sign its zones.
- Diagnosis: ExternalDNS needs to be instructed to generate DNSSEC records for the zones it manages. Check your ExternalDNS deployment configuration.
- Fix: Add the
--txt-owner-idflag to your ExternalDNS arguments, and ensure your BIND zone configuration includesauto-dnssec maintain;orauto-dnssec allow;. If usingauto-dnssec maintain, BIND will automatically generate and manage DNSSEC keys.
And in your BIND zone file or# Example ExternalDNS deployment snippet args: - --source=service - --provider=kubernetes - --registry=txt - --txt-owner-id=my-kubernetes-cluster.example.com. # Your unique identifier - --domain-filter=example.com - --log-level=info - --bind-host=bind.example.com. - --bind-port=53named.conf.local:zone "example.com" { type master; file "/etc/bind/zones/db.example.com"; auto-dnssec maintain; // Or allow }; - Why it works: The
--txt-owner-idis crucial for ExternalDNS to associate records with your cluster.auto-dnssec maintaintells BIND to generate and manage the necessary DNSSEC keys (KSK and ZSK) for the zone, including signing the records ExternalDNS creates.
-
BIND’s
allow-transferoralso-notifyis misconfigured for the DNSSEC keys.- Diagnosis: If BIND is acting as a secondary for a zone where DNSSEC keys are managed elsewhere, or if it’s not properly notifying secondary servers about key changes, validation can fail. Check
allow-transferandalso-notifydirectives in your zone configuration. - Fix: Ensure that any secondary BIND servers are listed in
allow-transferandalso-notifydirectives, and that they are also configured for DNSSEC validation.zone "example.com" { type master; file "/etc/bind/zones/db.example.com"; allow-transfer { 192.168.1.2; }; // IP of secondary BIND server also-notify { 192.168.1.2; }; auto-dnssec maintain; }; - Why it works: This ensures that secondary DNS servers receive zone transfers and notifications, including updates to DNSSEC records and keys, keeping their information consistent and allowing for proper validation.
- Diagnosis: If BIND is acting as a secondary for a zone where DNSSEC keys are managed elsewhere, or if it’s not properly notifying secondary servers about key changes, validation can fail. Check
-
Incorrect DNSSEC key material or trust anchors.
- Diagnosis: If you’re manually managing DNSSEC keys or trust anchors, a mismatch between what BIND expects and what’s published can cause validation to fail. Use
dig +dnssec <your_domain>to check the DNSSEC records and compare them with your key management. - Fix: If BIND is managing keys with
auto-dnssec maintain, it will generate them. If you’re using external key management, ensure the trust anchor (DS record) for your zone is correctly published at the parent zone and that BIND has access to the correct public keys. For BIND to resolve external DS records, it needs to be able to query the parent zone. - Why it works: DNSSEC validation relies on a chain of trust. If the DS record in the parent zone doesn’t correctly point to the keys in your zone, or if BIND doesn’t have the correct public keys for your zone, the chain is broken, and validation fails.
- Diagnosis: If you’re manually managing DNSSEC keys or trust anchors, a mismatch between what BIND expects and what’s published can cause validation to fail. Use
-
BIND’s
managed-keysfile is corrupt or out of date.- Diagnosis: BIND stores information about trust anchors in its
managed-keys.bindfile (default location). If this file becomes corrupt or contains stale information, it can lead to validation issues. Check BIND logs for errors related tomanaged-keys. - Fix: Stop BIND, delete the
managed-keys.bindfile (usually in/var/cache/bind/or/var/lib/bind/), and restart BIND. BIND will re-fetch the necessary trust anchor information.sudo systemctl stop bind9 sudo rm /var/cache/bind/managed-keys.bind sudo systemctl start bind9 - Why it works: This forces BIND to re-establish its knowledge of trust anchors for the root zone and any other zones it’s configured to manage keys for, clearing out any potentially corrupted data.
- Diagnosis: BIND stores information about trust anchors in its
-
Network issues preventing BIND from querying for trust anchors or validating signatures.
- Diagnosis: Ensure BIND can reach external DNS servers (like
8.8.8.8) and that no firewalls are blocking UDP/TCP port 53 outbound. - Fix: Verify network connectivity from your BIND server to the internet on port 53.
# From the BIND server: dig @8.8.8.8 google.com - Why it works: DNSSEC validation requires BIND to be able to query other DNS servers to fetch RRSIG records, DNSKEY records, and DS records, which are essential for building the chain of trust.
- Diagnosis: Ensure BIND can reach external DNS servers (like
After applying these fixes, restart BIND and ExternalDNS. You should then see ExternalDNS successfully creating DNSSEC-signed records, and BIND validating them correctly.
The next error you’ll likely encounter is related to ExternalDNS’s ability to update TXT records if your Kubernetes RBAC permissions are insufficient for the ExternalDNSServiceAccount.