Menu

Correcting Bind errors due to an out of sync clock

If your system's name server has ceased to perform recursive lookups, first check your logs. These are normally located at /var/log/syslog, there maybe be errors similar to the following:

Feb 28 09:47:59 server named[2480]: error (no valid KEY) resolving './DNSKEY/IN': 192.228.79.201#53
Feb 28 09:48:00 server named[2480]: validating @0xb7f4d5f0: . DNSKEY: verify failed due to bad signature (keyid=19036): RRSIG validity period has not begun
Feb 28 09:48:00 server named[2480]: validating @0xb7f4d5f0: . DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for '.'
Feb 28 09:48:00 server named[2480]: validating @0xb7f4d5f0: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.
Feb 28 09:48:00 server named[2480]: error (no valid KEY) resolving './DNSKEY/IN': 193.0.14.129#53
Feb 28 09:48:00 server named[2480]: error (broken trust chain) resolving './NS/IN': 192.112.36.4#53
Feb 28 09:48:00 server named[2480]: error (broken trust chain) resolving 'www.apple.com/A/IN': 17.171.63.30#53
Feb 28 09:48:00 server named[2480]: error (broken trust chain) resolving 'apple.com/A/IN': 17.171.63.30#53
Feb 28 09:48:00 server named[2480]: error (broken trust chain) resolving 'apple-mobile.query.yahooapis.com/A/IN': 68.142.255.16#53
Feb 28 09:48:00 server named[2480]: error (broken trust chain) resolving 'api.mixpanel.com/A/IN': 208.94.148.4#53
Feb 28 09:48:01 server named[2480]:   validating @0xb7cf9ff8: com DS: bad cache hit (./DNSKEY)
Feb 28 09:48:01 server named[2480]: error (broken trust chain) resolving 'init-p01st.push.apple.com/A/IN': 17.112.144.50#53
Feb 28 09:48:01 server named[2480]:   validating @0xb7cf9ff8: com DS: bad cache hit (./DNSKEY)
Feb 28 09:48:01 server named[2480]: error (broken trust chain) resolving '7-courier.push.apple.com/A/IN': 17.171.63.40#53

These type of errors are due to the system having an incorrect date.

This problem can occur if the real time clock (RTC) of a system has not kept the time correctly during a reboot or whilst being offline. Systems using NTP can still be affected as bind will start up before the NTP server and DNS names are usually used in the NTP server config.

To resolve this issue first stop bind and NTP with a commands such as:

/etc/init.d/ntp stop
/etc/init.d/bind9 stop

Then lookup an IP of NTP server that is near to you (UK server used in this example), a Google name server can be used here as their IP's are easy to remember:

nslookup 0.uk.pool.ntp.org 8.8.8.8
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   0.uk.pool.ntp.org
Address: 176.74.25.228
Name:   0.uk.pool.ntp.org
Address: 82.219.4.30
Name:   0.uk.pool.ntp.org
Address: 89.238.136.135
Name:   0.uk.pool.ntp.org
Address: 217.114.59.3

Next set the date of the system using the NTP server's IP address:

ntpdate 176.74.25.228

Then restart bind and NTP:

/etc/init.d/bind9 start
/etc/init.d/ntp start

For a final test, perform a lookup using the server's name server to confirm operation:

nslookup www.yahoo.co.uk

Last updated: 03/03/2015