<div dir="ltr">Hi Blason.<div>"<a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>" is a domain known to cause problems. Take a binary packet capture and look at it in Wireshark. Also see this <a href="https://dnsviz.net/d/incometax.gov.in/dnssec/" target="_blank">https://dnsviz.net/d/incometax.gov.in/dnssec/</a></div><div><br></div><div>A workaround in BIND is to disable DNSSEC validation for just that domain whilst leaving it on generally: see below.</div><div>DNSSEC validation is on ("auto") by default these days. Please don't turn it off for everything.</div><div><br></div><div><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:13px">options {</span></div><div>...<br style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:13px"><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:13px">validate-except {</span><br style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:13px"><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:13px"><a href="http://incometax.gov.in">incometax.gov.in</a>;</span><br style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:13px"><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:13px">...</span></div><div><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:13px">};</span></div><div>...<br style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:13px"><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:13px">};</span><br></div><div><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:13px"><br></span></div><div><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:13px">Hope this helps.</span></div><div><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:13px">Greg</span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 30 Aug 2023 at 14:20, Blason R <<a href="mailto:blason16@gmail.com" target="_blank">blason16@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi all,</div><div><br></div><div>I have bind BIND 9.18.17-1+ubuntu22.04.1+isc+1-Ubuntu (Extended Support Version)</div><div>And I am facing this weird issue. Somehow <a href="http://eportal.incometax.gov.in" target="_blank">eportal.incometax.gov.in</a> site is not getting resolved through DNS.</div><div><br></div><div>I tried a lot but unfortunately the issue still persists.</div><div><br></div><div>Here are packet capture logs.</div><div><br></div><div>listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes<br>18:47:19.569999 ens18 In IP 192.168.1.162.61110 > 192.168.1.133.53: 20+ A? <a href="http://eportal.incometax.gov.in" target="_blank">eportal.incometax.gov.in</a>. (42)<br>18:47:19.587705 ens18 Out IP 192.168.1.133.40263 > 208.67.222.222.53: 30627+% [1au] A? <a href="http://eportal.incometax.gov.in" target="_blank">eportal.incometax.gov.in</a>. (65)<br>18:47:19.599214 ens18 Out IP 192.168.1.133.44299 > 1.1.1.1.53: 62952+% [1au] DNSKEY? <a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. (57)<br>18:47:20.800736 ens18 Out IP 192.168.1.133.56154 > 8.8.8.8.53: 16152+% [1au] DNSKEY? <a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. (57)<br>18:47:21.573628 ens18 In IP 192.168.1.162.53536 > 192.168.1.133.53: 21+ AAAA? <a href="http://eportal.incometax.gov.in" target="_blank">eportal.incometax.gov.in</a>. (42)<br>18:47:21.576427 ens18 Out IP 192.168.1.133.55356 > 8.8.8.8.53: 57361+% [1au] AAAA? <a href="http://eportal.incometax.gov.in" target="_blank">eportal.incometax.gov.in</a>. (65)<br>18:47:22.002738 ens18 Out IP 192.168.1.133.33064 > 208.67.222.222.53: 16204+% [1au] DNSKEY? <a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. (57)<br>18:47:22.777934 ens18 Out IP 192.168.1.133.58739 > 208.67.222.222.53: 34205+% [1au] AAAA? <a href="http://eportal.incometax.gov.in" target="_blank">eportal.incometax.gov.in</a>. (65)<br>18:47:23.203333 ens18 Out IP 192.168.1.133.60920 > 9.9.9.9.53: 46145+% [1au] DNSKEY? <a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. (57)<br>18:47:23.584820 ens18 In IP 192.168.1.162.53962 > 192.168.1.133.53: 22+ A? <a href="http://eportal.incometax.gov.in" target="_blank">eportal.incometax.gov.in</a>. (42)<br>18:47:24.405041 ens18 Out IP 192.168.1.133.56475 > 198.41.0.4.53: 12349 [1au] DNSKEY? <a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. (57)<br>18:47:25.205136 ens18 Out IP 192.168.1.133.33517 > 192.36.148.17.53: 18768 [1au] DNSKEY? <a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. (57)<br>18:47:25.237837 ens18 Out IP 192.168.1.133.43646 > 156.154.100.20.53: 28883 [1au] DNSKEY? <a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. (57)<br>18:47:25.259888 ens18 Out IP 192.168.1.133.51762 > 59.160.103.171.53: 46716 [1au] DNSKEY? <a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. (57)<br>18:47:25.597312 ens18 In IP 192.168.1.162.53963 > 192.168.1.133.53: 23+ AAAA? <a href="http://eportal.incometax.gov.in" target="_blank">eportal.incometax.gov.in</a>. (42)<br>18:47:26.498891 ens18 Out IP 192.168.1.133.52631 > 125.16.225.122.53: 12762 [1au] DNSKEY? <a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. (57)</div><div><br></div><div>I feel this is something related to DNS RRKEY Record size?</div><div><br></div><div>Plus then I dumbdb on my server and went through cache using command</div><div><b>#rndc dumpdb -all</b></div><div><br></div><div>And here is the output</div><div><br></div><div><a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. 3422 NS <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a>.<br> 3422 NS <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a>.<br><a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a>. 131 \-AAAA ;-$NXRRSET<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a>. RRSIG NSEC ...<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a>. NSEC <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a>. A RRSIG NSEC<br>; <a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. SOA <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a>. <a href="http://ns-admin.cpc.incometax.gov.in" target="_blank">ns-admin.cpc.incometax.gov.in</a>. 2023060970 7200 3600 1209600 3600<br>; <a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. RRSIG SOA ...<br><a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a>. 120 \-AAAA ;-$NXRRSET<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a>. RRSIG NSEC ...<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a>. NSEC <a href="http://ns03.incometax.gov.in" target="_blank">ns03.incometax.gov.in</a>. A RRSIG NSEC<br>; <a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. SOA <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a>. <a href="http://ns-admin.cpc.incometax.gov.in" target="_blank">ns-admin.cpc.incometax.gov.in</a>. 2023071447 7200 3600 1209600 3600<br>; <a href="http://incometax.gov.in" target="_blank">incometax.gov.in</a>. RRSIG SOA ...<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 131] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 120] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 131] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 120] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 131] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 120] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 131] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 120] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 131] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 120] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 130] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 119] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 128] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 117] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 128] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 117] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 128] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 117] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 128] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 117] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 128] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 117] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns01.incometax.gov.in" target="_blank">ns01.incometax.gov.in</a> [v6 TTL 124] [v4 unexpected] [v6 nxrrset]<br>; <a href="http://ns02.incometax.gov.in" target="_blank">ns02.incometax.gov.in</a> [v6 TTL 113] [v4 unexpected] [v6 nxrrset]</div><div><br></div><div>Any idea what could be an issue?<br></div><div><br></div></div>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>