Re: Servfail on Bind -9.16.1

2020-11-22 Thread upen
Hello, Thank you. 1. DS record for com #dig DS com +dnssec ; <<>> DiG 9.16.1-Ubuntu <<>> DS com +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14029 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION:

Re: Servfail on Bind -9.16.1

2020-11-22 Thread Mark Andrews
> On 23 Nov 2020, at 13:37, upen wrote: > > Hi Mark and everyone, > > Thank you for continuing to help me. > I have set DNS validation to auto from no and restarted the bind9 service. > > # egrep dnssec-validation /etc/bind/named.conf.options > dnssec-validation auto; > > #dig

Re: Servfail on Bind -9.16.1

2020-11-22 Thread upen
Hi Mark and everyone, Thank you for continuing to help me. I have set DNS validation to auto from no and restarted the bind9 service. # egrep dnssec-validation /etc/bind/named.conf.options dnssec-validation auto; #dig +dnssec +cd dnskey . ; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec +cd

Re: Servfail on Bind -9.16.1

2020-11-22 Thread Mark Andrews
Ok. Lets start by debugging this from the trust anchor downwards. Lets see what "dig +dnssec +cd dnskey .” returns. It should return something like below with 2 DNSKEY records and a RRSIG for the DNSKEY. The RRSIG is regenerated daily so it will likely differ. The DNSKEY records should be a

Re: Servfail on Bind -9.16.1

2020-11-22 Thread upen
be wrong somewhere on my end /network > . > > >> From: bind-users on behalf of julien > >> soula > >> Sent: Sunday, November 22, 2020 9:31:56 AM > >> To: upen > >> Cc: bind-users@lists.isc.org ; BIND Users < > >> bind-us...@isc.o

Re: Servfail on Bind -9.16.1

2020-11-22 Thread Matus UHLAR - fantomas
Sent: Sunday, November 22, 2020 9:31:56 AM To: upen Cc: bind-users@lists.isc.org ; BIND Users < bind-us...@isc.org> Subject: Re: Servfail on Bind -9.16.1 On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote: > .../... > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127

Re: Servfail on Bind -9.16.1

2020-11-22 Thread upen
To: upen > Cc: bind-users@lists.isc.org ; BIND Users < > bind-us...@isc.org> > Subject: Re: Servfail on Bind -9.16.1 > > On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote: > > .../... > > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 > 127.

Re: Servfail on Bind -9.16.1

2020-11-22 Thread Ismael Suarez
Also, just for testing. Similar happened to me. Try with ‘dnssec-validation no;’ From: bind-users on behalf of julien soula Sent: Sunday, November 22, 2020 9:31:56 AM To: upen Cc: bind-users@lists.isc.org ; BIND Users Subject: Re: Servfail on Bind -9.16.1

Re: Servfail on Bind -9.16.1

2020-11-22 Thread julien soula
On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote: > .../... > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 > (www.facebook.com): query failed (broken trust chain) for > www.facebook.com/IN/A at query.c:6883 > dnssec.log:21-Nov-2020 15:11:18.008 validating

Re: Servfail on Bind -9.16.1

2020-11-21 Thread upen
On Sat, Nov 21, 2020 at 3:45 PM Fred Morris wrote: > Check your clock. Have you got NTP turned on? Is it working? If it's not, > flush cache/restart before you test again. > > Thank you Fred, Checked the time service , It's synced unless I am missing something. timedatectl timesync-status

Re: Servfail on Bind -9.16.1

2020-11-21 Thread Fred Morris
Check your clock. Have you got NTP turned on? Is it working? If it's not, flush cache/restart before you test again. -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the

Re: Servfail on Bind -9.16.1

2020-11-21 Thread upen
>packet capture (at a later point) https://dpaste.com/6FYQ4986D ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at

Re: Servfail on Bind -9.16.1

2020-11-21 Thread upen
Hello Ananad, and all, >www.facebook.com $ dig @127.0.0.1 -t A www.facebook.com ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917 ;; flags: qr rd ra; QUERY: 1,

Re: Servfail on Bind -9.16.1

2020-11-21 Thread Anand Buddhdev
On 21/11/2020 21:53, upen wrote: Hi Upen, > Could you someone guide me to troubleshoot this further? Thank you for the > list. Your instance of BIND is probably logging to syslog. Look for these logs (usually /var/log/messages), and see what BIND is logging. It may shed a light on the problem.

Re: Servfail on Bind -9.16.1

2020-11-21 Thread alcol alcol
upen Sent: Saturday, November 21, 2020 9:53 PM To: bind-users@lists.isc.org Subject: Servfail on Bind -9.16.1 Hello, I just installed a simple caching Bind9 using the package provided by Ubuntu 20.04(64bit) OS. I am not able to look up domains successfully and getting SERVFAILs $ dig @12

Servfail on Bind -9.16.1

2020-11-21 Thread upen
Hello, I just installed a simple caching Bind9 using the package provided by Ubuntu 20.04(64bit) OS. I am not able to look up domains successfully and getting SERVFAILs $ dig @127.0.0.1 -t A facebook.com ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A facebook.com ; (1 server found) ;; global