Hi,
I'm running BIND 9.18 as a caching resolver with DNSSEC validation enabled.
When I configure forwarders to point at my ISP's DNS, some DNSSEC-signed
domains return SERVFAIL even though they validate fine when querying root
servers directly.
My named.conf has:
options {
dnssec-validation auto;
forwarders { 192.168.1.1; };
forward only;
};
Domains like cloudflare.com and google.com resolve fine, but a few smaller
domains with DS records at the parent return SERVFAIL. If I remove the
forwarders block and let BIND do full recursion, same domains resolve perfectly.
My guess is the ISP's resolver is stripping or mangling the DNSSEC RRSIGs
before forwarding back to me, so BIND can't validate the chain. But I'm not
sure how to confirm this without manually digging through the chain.
I've been cross-checking results using https://dnsrobot.net/dns-lookup to query
different public resolvers and compare whether they return the RRSIG records.
Helps narrow down if it's my forwarder dropping them or if the zone itself has
issues.
Is there a way to tell BIND to fall back to full recursion when forwarded
DNSSEC validation fails? Or should I just stop using forwarders entirely for a
validating resolver?
Thanks
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
