<div dir="ltr"><div dir="ltr">Hello Ananad, and all,<div><br></div><div>><a href="http://www.facebook.com">www.facebook.com</a></div><div>$ dig @<a href="http://127.0.0.1">127.0.0.1</a> -t A <a href="http://www.facebook.com">www.facebook.com</a><br><br>; <<>> DiG 9.16.1-Ubuntu <<>> @<a href="http://127.0.0.1">127.0.0.1</a> -t A <a href="http://www.facebook.com">www.facebook.com</a><br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>; COOKIE: a18d9ed2a6d1bcd6010000005fb982763dfdafed174d4ef1 (good)<br>;; QUESTION SECTION:<br>;<a href="http://www.facebook.com">www.facebook.com</a>. IN A<br><br>;; Query time: 4 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Sat Nov 21 15:11:18 CST 2020<br>;; MSG SIZE rcvd: 73<br></div><div><br></div><div>> Your instance of BIND is probably logging to syslog. Look for these logs<br>> (usually /var/log/messages), and see what BIND is logging. It may shed a<br>> light on the problem. <br></div><div><br></div><div>Thank you. I enabled logging and when I grep for <a href="http://www.facebook.com">www.facebook.com</a> , I notice the following output from four different log files named.</div><div><br></div><div>debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0 127.0.0.1#33706 (<a href="http://www.facebook.com">www.facebook.com</a>): query: <a href="http://www.facebook.com">www.facebook.com</a> IN A +E(0)K (127.0.0.1)<br>default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 (<a href="http://www.facebook.com">www.facebook.com</a>): query failed (broken trust chain) for <a href="http://www.facebook.com/IN/A">www.facebook.com/IN/A</a> at query.c:6883<br>dnssec.log:21-Nov-2020 15:11:18.008 validating <a href="http://www.facebook.com/CNAME">www.facebook.com/CNAME</a>: bad cache hit (com/DS)<br>lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '<a href="http://www.facebook.com/A/IN">www.facebook.com/A/IN</a>': 129.134.31.12#53<br></div><div><br></div><div><br></div><div>Before running this query I also added dnssec-validation auto; to the options file and restarted the bind9 service. It's pointing to a broken trust chain which I am unsure how to resolve.</div><div><br></div><div>Thanks,</div><div>Upen</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev <<a href="mailto:anandb@ripe.net">anandb@ripe.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 21/11/2020 21:53, upen wrote:<br>
<br>
Hi Upen,<br>
<br>
> Could you someone guide me to troubleshoot this further? Thank you for the<br>
> list.<br>
<br>
Your instance of BIND is probably logging to syslog. Look for these logs<br>
(usually /var/log/messages), and see what BIND is logging. It may shed a<br>
light on the problem.<br>
<br>
Regards,<br>
Anand<br>
_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">upen,<br>emerge -uD life (Upgrade Life with dependencies) </div></div>