Servfail on Bind -9.16.1

upen upendra.gandhi at gmail.com
Sun Nov 22 17:19:59 UTC 2020


On Sun, Nov 22, 2020 at 9:35 AM Matus UHLAR - fantomas <uhlar at fantomas.sk>
wrote:

> >On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez <Ismael_Suarez at coqui.com>
> >wrote:
>
> >> Also, just for testing. Similar happened to me. Try with
> >> ‘dnssec-validation no;’
>
> On 22.11.20 09:05, upen wrote:
> >Thank you Ismael, you are right .
> >The resolution worked after setting ^^^
> >
> >So to answer Julien also I believe +nodnsdec in the dig would have helped
> >with resolution.
> >
> >So validation is not working it seems . What could be reason for that? Is
> >something wrong on my configuration or network that the dnssec validation
> >can not be used in my configuration.
>
> it's possible that your provider does DNS hijacking.
> DNS over TLS or DNS over HTTPS could help verify that.




Thank you Matus. So this is inside a university network and on a server .
May be the network people do some dns interceptions . I did upload a link
to packet capture which may shed some light on if they do indeed hijack.

But from your reply it sounds like this behavior with auto is not expected
and things should work for those domains so definitely something to check
in my network , configuration end of things.

Thank you
Upen

>
>
>
> >I can set to auto again and run dig +trace if that will help
> >troubleshooting further why validation may not be working. I’m unsure if
> >this is expected or something could be wrong somewhere on my end /network
> .
>
> >> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of julien
> >> soula <julien.soula at univ-lille.fr>
> >> Sent: Sunday, November 22, 2020 9:31:56 AM
> >> To: upen <upendra.gandhi at gmail.com>
> >> Cc: bind-users at lists.isc.org <bind-users at lists.isc.org>; BIND Users <
> >> bind-users at isc.org>
> >> Subject: Re: Servfail on Bind -9.16.1
> >>
> >> On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
> >> > .../...
> >> > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0
> >> 127.0.0.1#33706
> >> > (www.facebook.com<http://www.facebook.com>): query failed (broken
> trust
> >> chain) for
> >> > www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883
> >> > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME
> :<
> >> http://www.facebook.com/CNAME:> bad
> >> > cache hit (com/DS)
> >> > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain
> resolving '
> >> > www.facebook.com/A/IN':<http://www.facebook.com/A/IN':>
> 129.134.31.12#53
> >>
> >> it seems to be an error in dnssec. So I suppose that "dig +nodnssec
> >> ...." works.
> >>
> >> May be "dig +trace facebook.com" will give you more hints.
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> It's now safe to throw off your computer.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
upen,
emerge -uD life (Upgrade Life with dependencies)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201122/1b0552a0/attachment-0001.htm>


More information about the bind-users mailing list