<div dir="ltr"><div>There's a huge amount of DNSSEC verbiage in the response to that query (4931-byte response from the authoritative nameservers), when querying with +dnssec. I'm guessing the resolver function of BIND might be having trouble with DNSSEC validation. At least, that's a hypothesis. I'm not familiar enough with the current BIND code to confirm/deny it.</div><div></div><div><br></div><div>                                                               - Kevin</div><div><br></div><br><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 26, 2019 at 9:19 AM Dennis via bind-users <<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail-m_-8293703854874901519gmail-m_1605103731323963226gmail-m_6181402207756124479yahoo-style-wrap" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px"><div>Hi List,</div><div><br></div><div>When I try to resolve a TXT record <span><a href="http://cleanmail4.capgeminioutsourcing.nl" target="_blank">cleanmail4.capgeminioutsourcing.nl</a> I'll get a SERVFAIL. Asking Google seems to work though:</span></div><div><span><br></span></div><div><span><span>rndc flush <br></span></span><div><br></div><span></span><div>dig TXT <a href="http://cleanmail4.capgeminioutsourcing.nl" target="_blank">cleanmail4.capgeminioutsourcing.nl</a> @localhost<br><br>; <<>> DiG 9.10.3-P4-Debian <<>> TXT <a href="http://cleanmail4.capgeminioutsourcing.nl" target="_blank">cleanmail4.capgeminioutsourcing.nl</a> @localhost<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3652<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 1024<br>;; QUESTION SECTION:<br>;<a href="http://cleanmail4.capgeminioutsourcing.nl" target="_blank">cleanmail4.capgeminioutsourcing.nl</a>. IN    TXT<br><br>;; Query time: 176 msec<br>;; SERVER: ::1#53(::1)<br>;; WHEN: Wed Jun 26 07:57:59 CDT 2019<br>;; MSG SIZE  rcvd: 63<br><br>named -v<br><div>BIND 9.10.3-P4-Debian <id:ebd72b3></div><div><br></div><div>This shows up in the log:</div><div><br></div><div><div>fetch completed at ../../../lib/dns/resolver.c:5082 for <a href="http://cleanmail4.capgeminioutsourcing.nl/TXT" target="_blank">cleanmail4.capgeminioutsourcing.nl/TXT</a> in 0.176478: ran out of space/success [domain:<a href="http://capgeminioutsourcing.nl" target="_blank">capgeminioutsourcing.nl</a>,referral:2,restart:1,qrysent:2,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]<br><br></div><div><br></div><div>BIND is running in a debian 9 VM in default config. I spun up that vm after we discovered a BIND machine elsewhere with the same problem.<br></div><div><br></div><div>Google gives an answer:<br></div><div><br></div><div><div>; <<>> DiG 9.10.3-P4-Debian <<>> TXT <a href="http://cleanmail4.capgeminioutsourcing.nl" target="_blank">cleanmail4.capgeminioutsourcing.nl</a> @<a href="http://8.8.8.8" target="_blank">8.8.8.8</a><br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58950<br>;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 512<br>;; QUESTION SECTION:<br>;<a href="http://cleanmail4.capgeminioutsourcing.nl" target="_blank">cleanmail4.capgeminioutsourcing.nl</a>. IN    TXT<br><br>;; AUTHORITY SECTION:<br><a href="http://capgeminioutsourcing.nl" target="_blank">capgeminioutsourcing.nl</a>. 899    IN    SOA    <a href="http://ns1.capgeminioutsourcing.nl" target="_blank">ns1.capgeminioutsourcing.nl</a>. dns\.<a href="http://bnl.capgemini.com" target="_blank">bnl.capgemini.com</a>. 189324 28800 2880 2419200 900<br><br>;; Query time: 45 msec<br>;; SERVER: 8.8.8.8#53(8.8.8.8)<br>;; WHEN: Wed Jun 26 08:04:51 CDT 2019<br><div>;; MSG SIZE  rcvd: 124</div><div><br></div><div>There is no record but Google does not fail. I've checked the SOA and can resolve the NS records. I'm overlooking something, but what?<br></div><div><br></div><div><br></div></div><div><br></div><div>Cheers,</div><div><br></div><div>Dennis<br></div><div><br></div></div></div></div><br></div></div></div>_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>