There's a huge amount of DNSSEC verbiage in the response to that query (4931-byte response from the authoritative nameservers), when querying with +dnssec. I'm guessing the resolver function of BIND might be having trouble with DNSSEC validation. At least, that's a hypothesis. I'm not familiar enough with the current BIND code to confirm/deny it.
- Kevin On Wed, Jun 26, 2019 at 9:19 AM Dennis via bind-users < bind-users@lists.isc.org> wrote: > Hi List, > > When I try to resolve a TXT record cleanmail4.capgeminioutsourcing.nl > I'll get a SERVFAIL. Asking Google seems to work though: > > rndc flush > > dig TXT cleanmail4.capgeminioutsourcing.nl @localhost > > ; <<>> DiG 9.10.3-P4-Debian <<>> TXT cleanmail4.capgeminioutsourcing.nl > @localhost > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3652 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1024 > ;; QUESTION SECTION: > ;cleanmail4.capgeminioutsourcing.nl. IN TXT > > ;; Query time: 176 msec > ;; SERVER: ::1#53(::1) > ;; WHEN: Wed Jun 26 07:57:59 CDT 2019 > ;; MSG SIZE rcvd: 63 > > named -v > BIND 9.10.3-P4-Debian <id:ebd72b3> > > This shows up in the log: > > fetch completed at ../../../lib/dns/resolver.c:5082 for > cleanmail4.capgeminioutsourcing.nl/TXT in 0.176478: ran out of > space/success [domain:capgeminioutsourcing.nl > ,referral:2,restart:1,qrysent:2,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] > > > BIND is running in a debian 9 VM in default config. I spun up that vm > after we discovered a BIND machine elsewhere with the same problem. > > Google gives an answer: > > ; <<>> DiG 9.10.3-P4-Debian <<>> TXT cleanmail4.capgeminioutsourcing.nl @ > 8.8.8.8 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58950 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 512 > ;; QUESTION SECTION: > ;cleanmail4.capgeminioutsourcing.nl. IN TXT > > ;; AUTHORITY SECTION: > capgeminioutsourcing.nl. 899 IN SOA ns1.capgeminioutsourcing.nl. > dns\.bnl.capgemini.com. 189324 28800 2880 2419200 900 > > ;; Query time: 45 msec > ;; SERVER: 8.8.8.8#53(8.8.8.8) > ;; WHEN: Wed Jun 26 08:04:51 CDT 2019 > ;; MSG SIZE rcvd: 124 > > There is no record but Google does not fail. I've checked the SOA and can > resolve the NS records. I'm overlooking something, but what? > > > > Cheers, > > Dennis > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users