Servfail on Bind -9.16.1
upen
upendra.gandhi at gmail.com
Mon Nov 23 02:37:31 UTC 2020
Hi Mark and everyone,
Thank you for continuing to help me.
I have set DNS validation to auto from no and restarted the bind9 service.
# egrep dnssec-validation /etc/bind/named.conf.options
dnssec-validation auto;
#dig +dnssec +cd dnskey .
; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec +cd dnskey .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30138
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 4c28af06251e4b51010000005fbb1b1fa619c694e6bff1b4 (good)
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
. 172780 IN DNSKEY 256 3 8
AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi
obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C
sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL
QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm
8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE
hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8=
. 172780 IN DNSKEY 257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
. 172780 IN RRSIG DNSKEY 8 0 172800
20201211000000 20201120000000 20326 .
eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb
l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx
uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6
zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK
Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN
J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw==
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 22 20:14:55 CST 2020
;; MSG SIZE rcvd: 893
The root zone is not forwarded and the file is located at
#ls -al /usr/share/dns/root.hints*
-rw-r--r-- 1 root root 3311 May 29 2019 /usr/share/dns/root.hints
-rw-r--r-- 1 root root 72 May 29 2019 /usr/share/dns/root.hints.sig
Contents of the root.hints file are pasted at https://dpaste.com/EWKCX34NQ
. File is provided with OS package -> dns-root-data (Description:
2019052802 DNS root data including root zone and DNSSEC key)
Additional files provided by that package
#dpkg-query -L dns-root-data
/.
/usr
/usr/share
/usr/share/dns
/usr/share/dns/root.ds
/usr/share/dns/root.hints
/usr/share/dns/root.hints.sig
/usr/share/dns/root.key
/usr/share/doc
/usr/share/doc/dns-root-data
/usr/share/doc/dns-root-data/changelog.gz
/usr/share/doc/dns-root-data/copyright
Not sure what changed here, I am getting results now even after the
"dnssec-validation" set to auto. Really puzzled
#dig @127.0.0.1 +dnssec +cd dnskey www.facebook.com
; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 +dnssec +cd dnskey www.facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19781
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 028fb4fde9f61d53010000005fbb1fcca2b3cd29887d7e13 (good)
;; QUESTION SECTION:
;www.facebook.com. IN DNSKEY
;; ANSWER SECTION:
www.facebook.com. 2395 IN CNAME star-mini.c10r.facebook.com.
;; AUTHORITY SECTION:
c10r.facebook.com. 216 IN SOA a.ns.c10r.facebook.com.
dns.facebook.com. 1606098709 300 600 600 300
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 22 20:34:52 CST 2020
;; MSG SIZE rcvd: 176
Thank you,
Upen
On Sun, Nov 22, 2020 at 5:47 PM Mark Andrews <marka at isc.org> wrote:
> Ok. Lets start by debugging this from the trust anchor downwards.
> Lets see what "dig +dnssec +cd dnskey .” returns. It should return
> something like below with 2 DNSKEY records and a RRSIG for the DNSKEY.
> The RRSIG is regenerated daily so it will likely differ. The DNSKEY
> records should be a exact match. In this case flags contains ‘ad’ which
> means that the RRset has previously been validated.
>
> [beetle:~/git/bind9] marka% dig +dnssec +cd dnskey .
> ;; BADCOOKIE, retrying.
>
> ; <<>> DiG 9.15.4 <<>> +dnssec +cd dnskey .
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12403
> ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; COOKIE: f182281b307ab59a010000005fbaf21fcdc7ab7803361e3c (good)
> ;; QUESTION SECTION:
> ;. IN DNSKEY
>
> ;; ANSWER SECTION:
> . 134751 IN DNSKEY 257 3 8
> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
> +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
> ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
> 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
> oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
> RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
> . 134751 IN DNSKEY 256 3 8
> AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi
> obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C
> sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL
> QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm
> 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE
> hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8=
> . 134751 IN RRSIG DNSKEY 8 0 172800
> 20201211000000 20201120000000 20326 .
> eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb
> l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx
> uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6
> zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK
> Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN
> J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw==
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Nov 23 10:19:59 AEDT 2020
> ;; MSG SIZE rcvd: 893
>
> [beetle:~/git/bind9] marka%
>
> If you don’t get answer like this then we need to work out why.
>
> Do you have a local copy of the root zone? If so is from IANA
> or from somewhere else?
>
> Are you forwarding the root zone? If so what do ALL the forwarders
> return for "dig +dnssec +cd dnskey . @<server>” where <server> is
> replace by the IP address for each server. If you are forwarding is
> is forward “first” or “only”?
>
> Mark
>
> > On 22 Nov 2020, at 08:20, upen <upendra.gandhi at gmail.com> wrote:
> >
> > Hello Ananad, and all,
> >
> > >www.facebook.com
> > $ dig @127.0.0.1 -t A www.facebook.com
> >
> > ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ; COOKIE: a18d9ed2a6d1bcd6010000005fb982763dfdafed174d4ef1 (good)
> > ;; QUESTION SECTION:
> > ;www.facebook.com. IN A
> >
> > ;; Query time: 4 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Sat Nov 21 15:11:18 CST 2020
> > ;; MSG SIZE rcvd: 73
> >
> > > Your instance of BIND is probably logging to syslog. Look for these
> logs
> > > (usually /var/log/messages), and see what BIND is logging. It may shed
> a
> > > light on the problem.
> >
> > Thank you. I enabled logging and when I grep for www.facebook.com , I
> notice the following output from four different log files named.
> >
> > debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0
> 127.0.0.1#33706 (www.facebook.com): query: www.facebook.com IN A +E(0)K
> (127.0.0.1)
> > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0
> 127.0.0.1#33706 (www.facebook.com): query failed (broken trust chain) for
> www.facebook.com/IN/A at query.c:6883
> > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME:
> bad cache hit (com/DS)
> > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
> www.facebook.com/A/IN': 129.134.31.12#53
> >
> >
> > Before running this query I also added dnssec-validation auto; to the
> options file and restarted the bind9 service. It's pointing to a broken
> trust chain which I am unsure how to resolve.
> >
> > Thanks,
> > Upen
> >
> >
> > On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev <anandb at ripe.net> wrote:
> > On 21/11/2020 21:53, upen wrote:
> >
> > Hi Upen,
> >
> > > Could you someone guide me to troubleshoot this further? Thank you for
> the
> > > list.
> >
> > Your instance of BIND is probably logging to syslog. Look for these logs
> > (usually /var/log/messages), and see what BIND is logging. It may shed a
> > light on the problem.
> >
> > Regards,
> > Anand
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
> >
> > --
> > upen,
> > emerge -uD life (Upgrade Life with dependencies)
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
>
--
upen,
emerge -uD life (Upgrade Life with dependencies)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201122/132bc436/attachment-0002.htm>
More information about the bind-users
mailing list