Servfail on Bind -9.16.1

Matus UHLAR - fantomas uhlar at
Sun Nov 22 15:34:38 UTC 2020

>On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez <Ismael_Suarez at>

>> Also, just for testing. Similar happened to me. Try with
>> ‘dnssec-validation no;’

On 22.11.20 09:05, upen wrote:
>Thank you Ismael, you are right .
>The resolution worked after setting ^^^
>So to answer Julien also I believe +nodnsdec in the dig would have helped
>with resolution.
>So validation is not working it seems . What could be reason for that? Is
>something wrong on my configuration or network that the dnssec validation
>can not be used in my configuration.

it's possible that your provider does DNS hijacking.
DNS over TLS or DNS over HTTPS could help verify that.

>I can set to auto again and run dig +trace if that will help
>troubleshooting further why validation may not be working. I’m unsure if
>this is expected or something could be wrong somewhere on my end /network .

>> From: bind-users <bind-users-bounces at> on behalf of julien
>> soula <julien.soula at>
>> Sent: Sunday, November 22, 2020 9:31:56 AM
>> To: upen <upendra.gandhi at>
>> Cc: bind-users at <bind-users at>; BIND Users <
>> bind-users at>
>> Subject: Re: Servfail on Bind -9.16.1
>> On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
>> > .../...
>> > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0
>> > (<>): query failed (broken trust
>> chain) for
>> ><> at query.c:6883
>> > dnssec.log:21-Nov-2020 15:11:18.008 validating<
>>> bad
>> > cache hit (com/DS)
>> > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
>> >':<':>
>> it seems to be an error in dnssec. So I suppose that "dig +nodnssec
>> ...." works.
>> May be "dig +trace" will give you more hints.

Matus UHLAR - fantomas, uhlar at ;
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.

More information about the bind-users mailing list