SERVFAIL for valid DNSSEC-signed domains behind forwarder
Bagas Sanjaya
bagasdotme at gmail.com
Thu Mar 5 14:36:47 UTC 2026
On Thu, Mar 05, 2026 at 09:06:56AM +0000, Vahid Shaik wrote:
> Hi,
>
> I'm running BIND 9.18 as a caching resolver with DNSSEC validation enabled. When I configure forwarders to point at my ISP's DNS, some DNSSEC-signed domains return SERVFAIL even though they validate fine when querying root servers directly.
>
> My named.conf has:
>
> options {
> dnssec-validation auto;
> forwarders { 192.168.1.1; };
> forward only;
> };
I see that your forwarder is defined somewhere else (maybe your router?).
>
> Domains like cloudflare.com and google.com resolve fine, but a few smaller domains with DS records at the parent return SERVFAIL. If I remove the forwarders block and let BIND do full recursion, same domains resolve perfectly.
What domains you have problems with your forwarder?
>
> My guess is the ISP's resolver is stripping or mangling the DNSSEC RRSIGs before forwarding back to me, so BIND can't validate the chain. But I'm not sure how to confirm this without manually digging through the chain.
>
> I've been cross-checking results using https://dnsrobot.net/dns-lookup to query different public resolvers and compare whether they return the RRSIG records. Helps narrow down if it's my forwarder dropping them or if the zone itself has issues.
>
> Is there a way to tell BIND to fall back to full recursion when forwarded DNSSEC validation fails? Or should I just stop using forwarders entirely for a validating resolver?
forward first;
Thanks.
--
An old man doll... just what I always wanted! - Clara
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20260305/a12e46d4/attachment.sig>
More information about the bind-users
mailing list