dig ds c10r.facebook.com returns SERVFAIL

Tony Finch dot at dotat.at
Mon Sep 3 19:03:50 UTC 2018

Laurent Bigonville <bigon+bind at bigon.be> wrote:
> With bind9 server (I can reproduce that on RHEL7 with 9.9.4, debian stable
> with 9.10.3 and also debian unstable with 9.11.4) when doing "dig ds
> c10r.facebook.com @", I get a SERVFAIL.

This is because the authoritative servers for facebook.com do not
implement any DNSSEC, so they don't know that DS records are found on the
parent side of a zone cut, so they return a referral instead of a negative
answer. BIND treats this as a server failure, and does not attempt to work
around the antediluvian ignorance of the auth servers. In practice it
shouldn't matter since there shouldn't be any signed zones underneath a
server that doesn't know about DNSSEC.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Viking, North Utsire: Cyclonic, becoming northerly, 3 or 4, occasionally 5 at
first. Slight or moderate. Rain until later. Moderate or poor, occasionally
good later.

More information about the bind-users mailing list