Servfail on Bind -9.16.1

Matus UHLAR - fantomas uhlar at fantomas.sk
Sun Nov 22 15:34:38 UTC 2020


>On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez <Ismael_Suarez at coqui.com>
>wrote:

>> Also, just for testing. Similar happened to me. Try with
>> ‘dnssec-validation no;’

On 22.11.20 09:05, upen wrote:
>Thank you Ismael, you are right .
>The resolution worked after setting ^^^
>
>So to answer Julien also I believe +nodnsdec in the dig would have helped
>with resolution.
>
>So validation is not working it seems . What could be reason for that? Is
>something wrong on my configuration or network that the dnssec validation
>can not be used in my configuration.

it's possible that your provider does DNS hijacking.
DNS over TLS or DNS over HTTPS could help verify that.


>I can set to auto again and run dig +trace if that will help
>troubleshooting further why validation may not be working. I’m unsure if
>this is expected or something could be wrong somewhere on my end /network .

>> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of julien
>> soula <julien.soula at univ-lille.fr>
>> Sent: Sunday, November 22, 2020 9:31:56 AM
>> To: upen <upendra.gandhi at gmail.com>
>> Cc: bind-users at lists.isc.org <bind-users at lists.isc.org>; BIND Users <
>> bind-users at isc.org>
>> Subject: Re: Servfail on Bind -9.16.1
>>
>> On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
>> > .../...
>> > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0
>> 127.0.0.1#33706
>> > (www.facebook.com<http://www.facebook.com>): query failed (broken trust
>> chain) for
>> > www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883
>> > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME:<
>> http://www.facebook.com/CNAME:> bad
>> > cache hit (com/DS)
>> > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
>> > www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> 129.134.31.12#53
>>
>> it seems to be an error in dnssec. So I suppose that "dig +nodnssec
>> ...." works.
>>
>> May be "dig +trace facebook.com" will give you more hints.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.


More information about the bind-users mailing list