Tuesday, August 8, 2017

Lost power for my "computer array", a circuit breaker detected too much current. I guess I had enough computers to be close to the limit here.

In any case, that did as usual a bit of damage.

1. One of my MacBook pros ran out of battery, and when I rebooted, it probably ran out of battery again during fsck (a few times). The laptop is old, its battery is really bad. In any case, I tried to repair the disk a few times, but I was unable to. So re-installation of macOS on this specific laptop. That was probably overdue anyway, there was a lot of junk on this machine
2. My DNS started acting up in a very strange way. For some reason, there was no way to resolve a few specific names, e.g. google.com or redhat.com, though others would resolve fine, e.g. google.fr or apple.com. No real logic. I spent a bit of time investigating, added logging for bind, and observed tons of messages like this:

     08-Aug-2017 03:10:57.603 lame-servers: info: error (no valid RRSIG) resolving 'nist.gov/DS/IN': 212.27.40.241#53
   08-Aug-2017 03:10:57.637 dnssec: info: validating @0x7251b740: nist.gov DS: verify failed due to bad signature (keyid=21428): RRSIG validity period has not begun
   08-Aug-2017 03:10:57.638 dnssec: info: validating @0x7251b740: nist.gov DS: no valid signature found
   08-Aug-2017 03:10:57.639 lame-servers: info: error (no valid RRSIG) resolving 'nist.gov/DS/IN': 212.27.40.240#53
   08-Aug-2017 03:10:57.669 dnssec: info:   validating @0x73448968: net SOA: verify failed due to bad signature (keyid=57899): RRSIG validity period has not begun
   08-Aug-2017 03:10:57.669 dnssec: info:   validating @0x73448968: net
     SOA: no valid signature found

   Google (.fr) pointed me to this blog explaining how to disable dnssec. Fixed it, though it's hard to understand why it worked before.