<div dir="ltr">Hi Mark, <div><br></div><div>We noticed the problem because client can't resolve <span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px"><a href="http://www.federalregister.gov">www.federalregister.gov</a>, hosted by </span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px"><a href="http://ns3.gpo.gov">ns3.gpo.gov</a> and <a href="http://ns4.gpo.gov">ns4.gpo.gov</a>. Our error is similar to the previous post, plus some errors with the <a href="http://gpo.gov">gpo.gov</a> nameserver.</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px">I just wonder if it's the config problem with our </span>BIND 9.16.37 or problem with the <a href="http://gpo.gov">gpo.gov</a> nameserver ? </div><div><br></div><div>We have <span class="gmail-s2" style="font-family:Menlo;font-size:11px;font-variant-ligatures:no-common-ligatures;color:rgb(255,255,255);background-color:rgb(0,0,0)">dnssec</span><span class="gmail-s1" style="color:rgb(0,0,0);font-family:Menlo;font-size:11px;font-variant-ligatures:no-common-ligatures">-validation yes, not sure what to do if there is problem with our config. </span></div><div><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px"><br></span></div><div><br></div><div>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">Mar 13 18:02:18 ipam-dns-bl-5 named[2881]: client @0xaf1cb158 10.10.99.155#55940 (<a href="http://ns3.gpo.gov">ns3.gpo.gov</a>): query failed (broken trust chain) for <a href="http://ns3.gpo.gov/IN/A">ns3.gpo.gov/IN/A</a> at /mnt/proj/package-7-3/nessy/bind-9.16/lib/ns/query.c:7449</span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span></p><pre>Mar 14 10:23:32 ipam-dns-in-1 named[3713]: broken trust chain resolving '
<a href="http://ns3.gpo.gov/A/IN">ns3.gpo.gov/A/IN</a>': 162.140.15.100#53</pre><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">
</span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">Mar 13 16:18:46 ipam-dns-bl-4 named[2928]: broken trust chain resolving '<a href="http://www.federalregister.gov/AAAA/IN">www.federalregister.gov/AAAA/IN</a>': 162.140.15.100#53</span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">Thanks!</span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></p></div>
</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 14, 2023 at 7:30 PM Mark Andrews <<a href="mailto:marka@isc.org">marka@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Why are you trying to query this address? The IPv4 servers are 162.140.15.100<br>
and 162.140.254.200.<br>
<br>
> On 15 Mar 2023, at 07:53, Darren Ankney <<a href="mailto:darren.ankney@gmail.com" target="_blank">darren.ankney@gmail.com</a>> wrote:<br>
> <br>
> This is failing for me regularly:<br>
> <br>
> $ dig <a href="http://ns3.gpo.gov" rel="noreferrer" target="_blank">ns3.gpo.gov</a> +dnssec +norecurse @<a href="http://162.140.15.200" rel="noreferrer" target="_blank">162.140.15.200</a><br>
> ;; communications error to 162.140.15.200#53: timed out<br>
> ;; communications error to 162.140.15.200#53: timed out<br>
> ;; communications error to 162.140.15.200#53: timed out<br>
> <br>
> ; <<>> DiG 9.18.11 <<>> <a href="http://ns3.gpo.gov" rel="noreferrer" target="_blank">ns3.gpo.gov</a> +dnssec +norecurse @<a href="http://162.140.15.200" rel="noreferrer" target="_blank">162.140.15.200</a><br>
> ;; global options: +cmd<br>
> ;; no servers could be reached<br>
> <br>
> but all other combos of <a href="http://ns3.gpo.gov" rel="noreferrer" target="_blank">ns3.gpo.gov</a> or <a href="http://ns4.gpo.gov" rel="noreferrer" target="_blank">ns4.gpo.gov</a> and 162.140.15.100<br>
> and 162.140.15.200 work fine.<br>
> <br>
> On Tue, Mar 14, 2023 at 12:03 PM Tim Maestas <<a href="mailto:tmaestas95@gmail.com" target="_blank">tmaestas95@gmail.com</a>> wrote:<br>
>> <br>
>> I've been having problems resolving <a href="http://www.federalregister.gov" rel="noreferrer" target="_blank">www.federalregister.gov</a> which is served by <a href="http://ns3.gpo.gov" rel="noreferrer" target="_blank">ns3.gpo.gov</a> and <a href="http://ns4.gpo.gov" rel="noreferrer" target="_blank">ns4.gpo.gov</a>, using BIND 9.16.27. Haven't been able to quite figure out why so I've stuck an NTA in for the time being.<br>
>> <br>
>> On Tue, Mar 14, 2023 at 8:52 AM Stephane Bortzmeyer <<a href="mailto:bortzmeyer@nic.fr" target="_blank">bortzmeyer@nic.fr</a>> wrote:<br>
>>> <br>
>>> On Tue, Mar 14, 2023 at 11:35:38AM -0400,<br>
>>> Alexandra Yang <<a href="mailto:drayales@gmail.com" target="_blank">drayales@gmail.com</a>> wrote<br>
>>> a message of 183 lines which said:<br>
>>> <br>
>>>> I wonder if any of your nameserver resolve it just fine, like 8.8.8.8<br>
>>>> works<br>
>>> <br>
>>> Among RIPE Atlas probes, most succeed:<br>
>>> <br>
>>> % blaeu-resolve --displayvalidation -r 100 --type A <a href="http://gpo.gov" rel="noreferrer" target="_blank">gpo.gov</a><br>
>>> [ (Authentic Data flag) 162.140.14.82] : 46 occurrences<br>
>>> [162.140.14.82] : 52 occurrences<br>
>>> [ERROR: SERVFAIL] : 2 occurrences<br>
>>> Test #50935448 done at 2023-03-14T15:46:50Z<br>
>>> <br>
>>> The two whose resolvers servfail may have stricter/paranoid resolvers.<br>
<br>
-- <br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: +61 2 9871 4742 INTERNET: <a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a><br>
<br>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>