<div dir="ltr">Hi Mark and everyone,<div><br><div>Thank you for continuing to help me.</div><div>I have set DNS validation to auto from no and restarted the bind9 service.</div><div><br></div><div># egrep dnssec-validation /etc/bind/named.conf.options<br> dnssec-validation auto;<br></div><div><br></div><div>#dig +dnssec +cd dnskey .</div><div>; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec +cd dnskey .<br></div><div>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30138<br>;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 4096<br>; COOKIE: 4c28af06251e4b51010000005fbb1b1fa619c694e6bff1b4 (good)<br>;; QUESTION SECTION:<br>;. IN DNSKEY<br><br>;; ANSWER SECTION:<br>. 172780 IN DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8=<br>. 172780 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=<br>. 172780 IN RRSIG DNSKEY 8 0 172800 20201211000000 20201120000000 20326 . eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw==<br><br>;; Query time: 0 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Sun Nov 22 20:14:55 CST 2020<br>;; MSG SIZE rcvd: 893<br></div><div><br></div><div><br></div><div>The root zone is not forwarded and the file is located at </div><div>#ls -al /usr/share/dns/root.hints*<br>-rw-r--r-- 1 root root 3311 May 29 2019 /usr/share/dns/root.hints<br>-rw-r--r-- 1 root root 72 May 29 2019 /usr/share/dns/root.hints.sig<br></div><div><br></div><div>Contents of the root.hints file are pasted at <a href="https://dpaste.com/EWKCX34NQ">https://dpaste.com/EWKCX34NQ</a> . File is provided with OS package -> dns-root-data (Description: 2019052802 DNS root data including root zone and DNSSEC key)</div><div><br></div><div>Additional files provided by that package</div><div>#dpkg-query -L dns-root-data<br>/.<br>/usr<br>/usr/share<br>/usr/share/dns<br>/usr/share/dns/root.ds<br>/usr/share/dns/root.hints<br>/usr/share/dns/root.hints.sig<br>/usr/share/dns/root.key<br>/usr/share/doc<br>/usr/share/doc/dns-root-data<br>/usr/share/doc/dns-root-data/changelog.gz<br>/usr/share/doc/dns-root-data/copyright<br></div><div><br></div><div>Not sure what changed here, I am getting results now even after the "dnssec-validation" set to auto. Really puzzled</div><div><br></div><div>#dig @<a href="http://127.0.0.1">127.0.0.1</a> +dnssec +cd dnskey <a href="http://www.facebook.com">www.facebook.com</a><br><br>; <<>> DiG 9.16.1-Ubuntu <<>> @<a href="http://127.0.0.1">127.0.0.1</a> +dnssec +cd dnskey <a href="http://www.facebook.com">www.facebook.com</a><br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19781<br>;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 4096<br>; COOKIE: 028fb4fde9f61d53010000005fbb1fcca2b3cd29887d7e13 (good)<br>;; QUESTION SECTION:<br>;<a href="http://www.facebook.com">www.facebook.com</a>. IN DNSKEY<br><br>;; ANSWER SECTION:<br><a href="http://www.facebook.com">www.facebook.com</a>. 2395 IN CNAME <a href="http://star-mini.c10r.facebook.com">star-mini.c10r.facebook.com</a>.<br><br>;; AUTHORITY SECTION:<br><a href="http://c10r.facebook.com">c10r.facebook.com</a>. 216 IN SOA <a href="http://a.ns.c10r.facebook.com">a.ns.c10r.facebook.com</a>. <a href="http://dns.facebook.com">dns.facebook.com</a>. 1606098709 300 600 600 300<br><br>;; Query time: 0 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Sun Nov 22 20:34:52 CST 2020<br>;; MSG SIZE rcvd: 176<br></div><div><br></div><div><br></div><div>Thank you,</div><div>Upen</div><div><br></div><div><br></div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Nov 22, 2020 at 5:47 PM Mark Andrews <<a href="mailto:marka@isc.org">marka@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Ok. Lets start by debugging this from the trust anchor downwards.<br>
Lets see what "dig +dnssec +cd dnskey .” returns. It should return<br>
something like below with 2 DNSKEY records and a RRSIG for the DNSKEY.<br>
The RRSIG is regenerated daily so it will likely differ. The DNSKEY<br>
records should be a exact match. In this case flags contains ‘ad’ which<br>
means that the RRset has previously been validated.<br>
<br>
[beetle:~/git/bind9] marka% dig +dnssec +cd dnskey .<br>
;; BADCOOKIE, retrying.<br>
<br>
; <<>> DiG 9.15.4 <<>> +dnssec +cd dnskey .<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12403<br>
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 4096<br>
; COOKIE: f182281b307ab59a010000005fbaf21fcdc7ab7803361e3c (good)<br>
;; QUESTION SECTION:<br>
;. IN DNSKEY<br>
<br>
;; ANSWER SECTION:<br>
. 134751 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=<br>
. 134751 IN DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8=<br>
. 134751 IN RRSIG DNSKEY 8 0 172800 20201211000000 20201120000000 20326 . eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw==<br>
<br>
;; Query time: 0 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Mon Nov 23 10:19:59 AEDT 2020<br>
;; MSG SIZE rcvd: 893<br>
<br>
[beetle:~/git/bind9] marka% <br>
<br>
If you don’t get answer like this then we need to work out why.<br>
<br>
Do you have a local copy of the root zone? If so is from IANA<br>
or from somewhere else?<br>
<br>
Are you forwarding the root zone? If so what do ALL the forwarders<br>
return for "dig +dnssec +cd dnskey . @<server>” where <server> is<br>
replace by the IP address for each server. If you are forwarding is<br>
is forward “first” or “only”?<br>
<br>
Mark<br>
<br>
> On 22 Nov 2020, at 08:20, upen <<a href="mailto:upendra.gandhi@gmail.com" target="_blank">upendra.gandhi@gmail.com</a>> wrote:<br>
> <br>
> Hello Ananad, and all,<br>
> <br>
> ><a href="http://www.facebook.com" rel="noreferrer" target="_blank">www.facebook.com</a><br>
> $ dig @<a href="http://127.0.0.1" rel="noreferrer" target="_blank">127.0.0.1</a> -t A <a href="http://www.facebook.com" rel="noreferrer" target="_blank">www.facebook.com</a><br>
> <br>
> ; <<>> DiG 9.16.1-Ubuntu <<>> @<a href="http://127.0.0.1" rel="noreferrer" target="_blank">127.0.0.1</a> -t A <a href="http://www.facebook.com" rel="noreferrer" target="_blank">www.facebook.com</a><br>
> ; (1 server found)<br>
> ;; global options: +cmd<br>
> ;; Got answer:<br>
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917<br>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br>
> <br>
> ;; OPT PSEUDOSECTION:<br>
> ; EDNS: version: 0, flags:; udp: 4096<br>
> ; COOKIE: a18d9ed2a6d1bcd6010000005fb982763dfdafed174d4ef1 (good)<br>
> ;; QUESTION SECTION:<br>
> ;<a href="http://www.facebook.com" rel="noreferrer" target="_blank">www.facebook.com</a>. IN A<br>
> <br>
> ;; Query time: 4 msec<br>
> ;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
> ;; WHEN: Sat Nov 21 15:11:18 CST 2020<br>
> ;; MSG SIZE rcvd: 73<br>
> <br>
> > Your instance of BIND is probably logging to syslog. Look for these logs<br>
> > (usually /var/log/messages), and see what BIND is logging. It may shed a<br>
> > light on the problem. <br>
> <br>
> Thank you. I enabled logging and when I grep for <a href="http://www.facebook.com" rel="noreferrer" target="_blank">www.facebook.com</a> , I notice the following output from four different log files named.<br>
> <br>
> debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0 127.0.0.1#33706 (<a href="http://www.facebook.com" rel="noreferrer" target="_blank">www.facebook.com</a>): query: <a href="http://www.facebook.com" rel="noreferrer" target="_blank">www.facebook.com</a> IN A +E(0)K (127.0.0.1)<br>
> default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 (<a href="http://www.facebook.com" rel="noreferrer" target="_blank">www.facebook.com</a>): query failed (broken trust chain) for <a href="http://www.facebook.com/IN/A" rel="noreferrer" target="_blank">www.facebook.com/IN/A</a> at query.c:6883<br>
> dnssec.log:21-Nov-2020 15:11:18.008 validating <a href="http://www.facebook.com/CNAME" rel="noreferrer" target="_blank">www.facebook.com/CNAME</a>: bad cache hit (com/DS)<br>
> lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '<a href="http://www.facebook.com/A/IN" rel="noreferrer" target="_blank">www.facebook.com/A/IN</a>': 129.134.31.12#53<br>
> <br>
> <br>
> Before running this query I also added dnssec-validation auto; to the options file and restarted the bind9 service. It's pointing to a broken trust chain which I am unsure how to resolve.<br>
> <br>
> Thanks,<br>
> Upen<br>
> <br>
> <br>
> On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev <<a href="mailto:anandb@ripe.net" target="_blank">anandb@ripe.net</a>> wrote:<br>
> On 21/11/2020 21:53, upen wrote:<br>
> <br>
> Hi Upen,<br>
> <br>
> > Could you someone guide me to troubleshoot this further? Thank you for the<br>
> > list.<br>
> <br>
> Your instance of BIND is probably logging to syslog. Look for these logs<br>
> (usually /var/log/messages), and see what BIND is logging. It may shed a<br>
> light on the problem.<br>
> <br>
> Regards,<br>
> Anand<br>
> _______________________________________________<br>
> Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
> <br>
> ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
> <br>
> <br>
> bind-users mailing list<br>
> <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
> <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
> <br>
> <br>
> -- <br>
> upen,<br>
> emerge -uD life (Upgrade Life with dependencies)<br>
> _______________________________________________<br>
> Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
> <br>
> ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
> <br>
> <br>
> bind-users mailing list<br>
> <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
> <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
-- <br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: +61 2 9871 4742 INTERNET: <a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a><br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">upen,<br>emerge -uD life (Upgrade Life with dependencies) </div>