<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi All<br class=""><br class="">I am running a bind 9.9.4-50 resolver on CentOS 7 (kernel 3.10.0-514.26.2.el7.x86_64). I have enabled dnssec and made it into a validating resolver but I am facing issues with some sites that use CNAME and getting SERVFAIL. Configs are pretty simple as given below:<br class=""><br class="">**configs<br class="">options {<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>listen-on port 53 { 127.0.0.1; x.x.x.x; };<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>listen-on-v6 port 53 { ::1; aaaa:bbbb:cccc::d; };<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>directory <span class="Apple-tab-span" style="white-space: pre;"> </span>"/var/named";<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>pid-file<span class="Apple-tab-span" style="white-space: pre;"> </span>"/var/run/named/named.pid";<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>dump-file <span class="Apple-tab-span" style="white-space: pre;"> </span>"data/cache_dump.db";<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>empty-zones-enable yes;<br class=""> zone-statistics yes;<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>querylog yes;<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>recursion yes;<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>allow-recursion {localhost; my-net; };<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>statistics-file "data/named_stats.txt";<br class=""> memstatistics-file "data/named_mem_stats.txt";<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>allow-query {localhost; my-net; };<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>allow-query-cache {localhost; my-net; };<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>flush-zones-on-shutdown yes;<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>version "UNNECESSARY";<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>dnssec-enable yes;<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>dnssec-validation auto; ## tried with yes but no difference<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>random-device "/dev/urandom";<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>managed-keys-directory "/var/named/dynamic”;<br class="">};<br class=""><br class="">// named.conf<br class="">//<br class="">include "/etc/named/acl.conf";<br class="">include "/etc/named/options.conf";<br class="">include "//etc/named/named-log.conf";<br class="">//include "/etc/named/named.rfc1912.zones";<br class="">include "/etc/rndc.key";<br class="">include "/etc/named.root.key";<br class="">zone "." IN {<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>type hint;<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>file "/var/named/data/named.root";<br class="">};<br class="">//<br class="">zone "0.0.127.in-addr.arpa" {<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>type master;<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>file "data/db.loopback.master";<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>notify no;<br class="">};<br class="">**end of configs<br class="">//<br class="">**dig results for A record of <a href="http://www.icann.org" class="">www.icann.org</a><br class=""><br class=""># dig @localhost <a href="http://www.icann.org" class="">www.icann.org</a>. A +dnssec<br class=""><br class="">; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost <a href="http://www.icann.org" class="">www.icann.org</a>. A +dnssec<br class="">; (2 servers found)<br class="">;; global options: +cmd<br class="">;; Got answer:<br class="">;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25178<br class="">;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br class=""><br class="">;; OPT PSEUDOSECTION:<br class="">; EDNS: version: 0, flags: do; udp: 4096<br class="">;; QUESTION SECTION:<br class="">;<a href="http://www.icann.org" class="">www.icann.org</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>A<br class=""><br class=""><br class="">*** Dig for CNAME works fine<br class=""># dig @localhost <a href="http://www.icann.org" class="">www.icann.org</a>. cname +dnssec<br class=""><br class="">; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost <a href="http://www.icann.org" class="">www.icann.org</a>. cname +dnssec<br class="">; (2 servers found)<br class="">;; global options: +cmd<br class="">;; Got answer:<br class="">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62144<br class="">;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11<br class=""><br class="">;<a href="http://www.icann.org" class="">www.icann.org</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>CNAME<br class=""><br class="">;; ANSWER SECTION:<br class=""><a href="http://www.icann.org" class="">www.icann.org</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>1747<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>CNAME<span class="Apple-tab-span" style="white-space: pre;"> </span><a href="http://www.vip.icann.org" class="">www.vip.icann.org</a>.<br class=""><a href="http://www.icann.org" class="">www.icann.org</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>1747<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>RRSIG<span class="Apple-tab-span" style="white-space: pre;"> </span>CNAME 7 3 3600 20170830102924 20170809041125 56445 <a href="http://icann.org" class="">icann.org</a>. VB1PWieuP3nZX9rpJ8WyA2G0DoV86NxkrgT6HNDsTHmDI0xLYdGvLPCj H4m3lRg1YVxmpwFEJPDHG9TRcqo39T4TDFe+SIyMI/2ERFRhgorggaok zATAs35lDiLpoO7S1LLSWl/L+QmT/bK/XXq1VP/ZUjX3t6belB/GBnZW ZsL/NAU=<br class=""><br class="">;; AUTHORITY SECTION:<br class=""><a href="http://icann.org" class="">icann.org</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>84541<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>NS<span class="Apple-tab-span" style="white-space: pre;"> </span><a href="http://b.iana-servers.net" class="">b.iana-servers.net</a>.<br class=""><a href="http://icann.org" class="">icann.org</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>84541<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>NS<span class="Apple-tab-span" style="white-space: pre;"> </span><a href="http://c.iana-servers.net" class="">c.iana-servers.net</a>.<br class=""><a href="http://icann.org" class="">icann.org</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>84541<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>NS<span class="Apple-tab-span" style="white-space: pre;"> </span><a href="http://ns.icann.org" class="">ns.icann.org</a>.<br class=""><a href="http://icann.org" class="">icann.org</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>84541<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>NS<span class="Apple-tab-span" style="white-space: pre;"> </span><a href="http://a.iana-servers.net" class="">a.iana-servers.net</a>.<br class=""><a href="http://icann.org" class="">icann.org</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>84541<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>RRSIG<span class="Apple-tab-span" style="white-space: pre;"> </span>NS 7 2 86400 20170831033936 20170810001125 56445 <a href="http://icann.org" class="">icann.org</a>. jylCSOpN18PNZcDYghGrYky8NsR1Pt7Rpm+c564QQobdd6u8Q1cQtVZZ a+m8wDQtgb0LQCQ9FEXT7Sm9+/p+hGottj4YUuv1TDnLSztSkUqV5DOV ptqG7TCFqsF482AMEmqW8OKNMiapAX6NAbO1hl5gDm+BX0ro2XrCaqzU 8RrdHNE=<br class=""><br class="">;; ADDITIONAL SECTION:<br class=""><a href="http://a.iana-servers.net" class="">a.iana-servers.net</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span>170941<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>A<span class="Apple-tab-span" style="white-space: pre;"> </span>199.43.135.53<br class=""><a href="http://a.iana-servers.net" class="">a.iana-servers.net</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span>170941<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>AAAA<span class="Apple-tab-span" style="white-space: pre;"> </span>2001:500:8f::53<br class=""><a href="http://b.iana-servers.net" class="">b.iana-servers.net</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span>170941<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>A<span class="Apple-tab-span" style="white-space: pre;"> </span>199.43.133.53<br class="">….<div class="">...<br class=""><a href="http://ns.icann.org" class="">ns.icann.org</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>84541<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>A<span class="Apple-tab-span" style="white-space: pre;"> </span>199.4.138.53<br class=""><a href="http://ns.icann.org" class="">ns.icann.org</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>84541<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>AAAA<span class="Apple-tab-span" style="white-space: pre;"> </span>2001:500:89::53<br class=""><a href="http://ns.icann.org" class="">ns.icann.org</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>1741<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>RRSIG<span class="Apple-tab-span" style="white-space: pre;"> </span>A 7 3 3600 20170830005731 20170808155836 56445 <a href="http://icann.org" class="">icann.org</a>. vcUjGAOoJj2nomVKLuigIJAYIOaauYWFN++wqcAYfwO6ayOXPxXMq4j6 jvc8W5r+aLl4jQlHHTZ5L2TghdrH2ngFl5YlXKJSCjcAwifcvASrr5rv +5nmC41L66ueEafDLCBV1vUD2KlaHro1Om1vxZkl9zLCPQc3ESRkHE74 5Nr+nY8=<br class=""><a href="http://ns.icann.org" class="">ns.icann.org</a>.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>1741<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>RRSIG<span class="Apple-tab-span" style="white-space: pre;"> </span>AAAA 7 3 3600 20170830012209 20170809081125 56445 <a href="http://icann.org" class="">icann.org</a>. rPURe+sfaBHZccMmpr1sqTzKgxnehYE5D4jt+ndGLKS0yq91EvX/Ktmk EVdyrkSR74Ic+ZY2UjjMopqZO42StePHItX1X0UHXHwpZvS3DqYQwX7o g607QoXPDrotsw0HiG/LVWiT4nZDyGLxRgnp7sQLzAwja9UQO8U/XO6N LdWZ2+c=<br class=""><br class=""><br class="">**debug log<br class="">23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> A: starting<br class="">23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> A: attempting insecurity proof<br class="">23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> A: checking existence of DS at 'org'<br class="">23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> A: checking existence of DS at '<a href="http://icann.org" class="">icann.org</a>'<br class="">23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> A: checking existence of DS at '<a href="http://vip.icann.org" class="">vip.icann.org</a>'<br class="">23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> A: checking existence of DS at '<a href="http://www.vip.icann.org" class="">www.vip.icann.org</a>'<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> DS: starting<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> DS: attempting negative response validation<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: <a href="http://vip.icann.org" class="">vip.icann.org</a> SOA: starting<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: <a href="http://vip.icann.org" class="">vip.icann.org</a> SOA: attempting positive response validation<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: <a href="http://vip.icann.org" class="">vip.icann.org</a> SOA: keyset with trust secure<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: <a href="http://vip.icann.org" class="">vip.icann.org</a> SOA: verify rdataset (keyid=47600): success<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: <a href="http://vip.icann.org" class="">vip.icann.org</a> SOA: marking as secure, noqname proof not needed<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validator @0x7f3ffc96fdf0: dns_validator_destroy<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> DS: in authvalidated<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> DS: resuming nsecvalidate<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: <a href="http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org" class="">j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org</a> NSEC3: starting<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: <a href="http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org" class="">j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org</a> NSEC3: attempting positive response valid<br class="">ation<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: <a href="http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org" class="">j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org</a> NSEC3: keyset with trust secure<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: <a href="http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org" class="">j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org</a> NSEC3: verify rdataset (keyid=47600): suc<br class="">cess<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: <a href="http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org" class="">j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org</a> NSEC3: marking as secure, noqname proof n<br class="">ot needed<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validator @0x7f3ffc96fdf0: dns_validator_destroy<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> DS: in authvalidated<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> DS: resuming nsecvalidate<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> DS: looking for relevant NSEC3<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> DS: looking for relevant NSEC3<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> DS: NSEC3 proves name exists (owner) data=0<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> DS: nonexistence proof(s) found<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validator @0x7f3ffc96f160: dns_validator_destroy<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> A: in dsfetched2: ncache nxrrset<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> A: resuming proveunsecure<br class="">23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0: <a href="http://www.vip.icann.org" class="">www.vip.icann.org</a> A: insecurity proof failed<br class=""><br class=""><br class="">With dnssec-validation turned on, resolving sites like <a href="http://www.icann.org" class="">www.icann.org</a> fails. The alternative is to remove validation which of course is not the desired solution.<br class=""><br class="">Any help would be appreciated.<br class=""><br class="">Thanks.<br class=""><br class="">—<br class="">Dhungyel</div></body></html>