@Bagas. Please don't suggest "forward first". If you're going to forward, forward. If not, don't.
@Vahid. I would suggest removing your global forwarding completely, allowing BIND to recurse, as it should. Why did you add a global forwarder in the first place? Cheers, Greg On Thu, 5 Mar 2026 at 14:37, Bagas Sanjaya <[email protected]> wrote: > On Thu, Mar 05, 2026 at 09:06:56AM +0000, Vahid Shaik wrote: > > Hi, > > > > I'm running BIND 9.18 as a caching resolver with DNSSEC validation > enabled. When I configure forwarders to point at my ISP's DNS, some > DNSSEC-signed domains return SERVFAIL even though they validate fine when > querying root servers directly. > > > > My named.conf has: > > > > options { > > dnssec-validation auto; > > forwarders { 192.168.1.1; }; > > forward only; > > }; > > I see that your forwarder is defined somewhere else (maybe your router?). > > > > > Domains like cloudflare.com and google.com resolve fine, but a few > smaller domains with DS records at the parent return SERVFAIL. If I remove > the forwarders block and let BIND do full recursion, same domains resolve > perfectly. > > What domains you have problems with your forwarder? > > > > > My guess is the ISP's resolver is stripping or mangling the DNSSEC > RRSIGs before forwarding back to me, so BIND can't validate the chain. But > I'm not sure how to confirm this without manually digging through the chain. > > > > I've been cross-checking results using https://dnsrobot.net/dns-lookup > to query different public resolvers and compare whether they return the > RRSIG records. Helps narrow down if it's my forwarder dropping them or if > the zone itself has issues. > > > > Is there a way to tell BIND to fall back to full recursion when > forwarded DNSSEC validation fails? Or should I just stop using forwarders > entirely for a validating resolver? > > forward first; > > Thanks. > > -- > An old man doll... just what I always wanted! - Clara > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list. >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
