DNS broke on my mailserver recently. This meant that the system status checks reported that “Nameserver glue records are incorrect.” and “The nameservers set on this domain are incorrect. They are currently [Not Set].”
When I looked in
/var/log/syslog after running
dig @localhost google.com as a test, I found this:
Oct 1 00:21:30 ubuntu named: validating @0x72f00468: com DS: bad cache hit (./DNSKEY) Oct 1 00:21:30 ubuntu named: error (broken trust chain) resolving 'google.com/A/IN': 22.214.171.124#53 Oct 1 00:21:32 ubuntu named: validating @0x72e2c770: com DS: bad cache hit (./DNSKEY) Oct 1 00:21:32 ubuntu named: error (broken trust chain) resolving 'google.com/A/IN': 126.96.36.199#53
Strangely, the IP’s listed are valid google.com IP’s, so the DNS lookup is sort of succeeding, but
named doesn’t want to allow the answers to be returned as valid.
I fixed the problem by resetting the clock like this, based on http://www.thedumbterminal.co.uk/posts/2015/03/correcting_bind_errors_due_to_an_out_of_sync_clock.html
Stop time and DNS daemons:
/etc/init.d/ntp stop /etc/init.d/bind9 stop
Find the address of a public NTP server:
nslookup pool.ntp.org 188.8.131.52
Set the time correctly:
Restart DNS and time daemons:
/etc/init.d/bind9 start /etc/init.d/ntp start
After this, DNS started working again and I started receiving mail again too.
I am still not sure exactly how my system time went wrong, but I hope this is useful to someone . . .