SERVFAIL for valid DNSSEC-signed domains behind forwarder
Vahid Shaik
vahid at dnsrobot.net
Thu Mar 5 09:06:56 UTC 2026
Hi,
I'm running BIND 9.18 as a caching resolver with DNSSEC validation enabled. When I configure forwarders to point at my ISP's DNS, some DNSSEC-signed domains return SERVFAIL even though they validate fine when querying root servers directly.
My named.conf has:
options {
dnssec-validation auto;
forwarders { 192.168.1.1; };
forward only;
};
Domains like cloudflare.com and google.com resolve fine, but a few smaller domains with DS records at the parent return SERVFAIL. If I remove the forwarders block and let BIND do full recursion, same domains resolve perfectly.
My guess is the ISP's resolver is stripping or mangling the DNSSEC RRSIGs before forwarding back to me, so BIND can't validate the chain. But I'm not sure how to confirm this without manually digging through the chain.
I've been cross-checking results using https://dnsrobot.net/dns-lookup to query different public resolvers and compare whether they return the RRSIG records. Helps narrow down if it's my forwarder dropping them or if the zone itself has issues.
Is there a way to tell BIND to fall back to full recursion when forwarded DNSSEC validation fails? Or should I just stop using forwarders entirely for a validating resolver?
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20260305/e3bb0278/attachment-0001.htm>
More information about the bind-users
mailing list