On Thu, Mar 05, 2026 at 09:06:56AM +0000, Vahid Shaik wrote:
> Hi,
>
> I'm running BIND 9.18 as a caching resolver with DNSSEC validation enabled.
> When I configure forwarders to point at my ISP's DNS, some DNSSEC-signed
> domains return SERVFAIL even though they validate fine when querying root
> servers directly.
>
> My named.conf has:
>
> options {
> dnssec-validation auto;
> forwarders { 192.168.1.1; };
> forward only;
> };I see that your forwarder is defined somewhere else (maybe your router?). > > Domains like cloudflare.com and google.com resolve fine, but a few smaller > domains with DS records at the parent return SERVFAIL. If I remove the > forwarders block and let BIND do full recursion, same domains resolve > perfectly. What domains you have problems with your forwarder? > > My guess is the ISP's resolver is stripping or mangling the DNSSEC RRSIGs > before forwarding back to me, so BIND can't validate the chain. But I'm not > sure how to confirm this without manually digging through the chain. > > I've been cross-checking results using https://dnsrobot.net/dns-lookup to > query different public resolvers and compare whether they return the RRSIG > records. Helps narrow down if it's my forwarder dropping them or if the zone > itself has issues. > > Is there a way to tell BIND to fall back to full recursion when forwarded > DNSSEC validation fails? Or should I just stop using forwarders entirely for > a validating resolver? forward first; Thanks. -- An old man doll... just what I always wanted! - Clara
signature.asc
Description: PGP signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
