dig ds c10r.facebook.com returns SERVFAIL

Laurent Bigonville bigon+bind at bigon.be
Mon Sep 3 20:26:35 UTC 2018

On 3/09/18 21:03, Tony Finch wrote:
> Laurent Bigonville <bigon+bind at bigon.be> wrote:
>> With bind9 server (I can reproduce that on RHEL7 with 9.9.4, debian stable
>> with 9.10.3 and also debian unstable with 9.11.4) when doing "dig ds
>> c10r.facebook.com @", I get a SERVFAIL.
> This is because the authoritative servers for facebook.com do not
> implement any DNSSEC, so they don't know that DS records are found on the
> parent side of a zone cut, so they return a referral instead of a negative
> answer. BIND treats this as a server failure, and does not attempt to work
> around the antediluvian ignorance of the auth servers. In practice it
> shouldn't matter since there shouldn't be any signed zones underneath a
> server that doesn't know about DNSSEC.

The problem is that systemd-resolved (maybe other software are doing the 
same?) is asking the DS record to check if the record is supposed to be 
signed (well I think) before trying to do DNSSEC validation of the 
client side.

I'm also wondering (and pardon my ignorance but), why does bind tries 
all the forwarders and the the auth server if the 1st server already 
reply with an empty answer and an NOERROR?

More information about the bind-users mailing list