Re: Servfail on Bind -9.16.1

[upen]

Hello,
Thank you.

1. DS record for com
#dig DS com +dnssec

; <<>> DiG 9.16.1-Ubuntu <<>> DS com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14029
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: fdfd77fc04700d7201005fbb323fa7e65af53e803915 (good)
;; QUESTION SECTION:
;com.   IN  DS

;; ANSWER SECTION:
com.80472   IN  DS  30909 8 2
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.80472   IN  RRSIG   DS 8 1 86400 2020120517
2020112216 26116 .
fu2mVhKX9+oDAx9T8LrIyli5yTBk28mCDw8SbAuIFKuRhGI8QiOgchEZ
0KzSaSpfBHpgVoq6mN8WFHeSPhPeZ5EOMbXvMjv9nvHNVKylu4C5mSRt
nWuoVXU531uYFEtuqJgcCoNBsiIznbq/3GkAZeYkc8pj/Hkma/p0/QYh
Lb1Mz/lW4SJNc03Kw0jDNw6Z2C1XGvDG3iHeJ6CFrZrvp7U41qDNqZEm
NT7T7/JXoUdy6evi6LCLXtZ4QAqKv5HReDRlVTkmAWVnQw+PtJ75nvCV
4pP3jp5ih70OSCQx3iB7xJ/8GtWiI5DvD9fmlbX8CRNu12sKX1/e/Lxd Ph1JXw==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 22 21:53:35 CST 2020
;; MSG SIZE  rcvd: 395



2. DNSSEC KEY for com
#dig DNSKEY com +dnssec

; <<>> DiG 9.16.1-Ubuntu <<>> DNSKEY com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4992
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: dc1c3f1a640d17b001005fbb32a0c7fadb271d47476e (good)
;; QUESTION SECTION:
;com.   IN  DNSKEY

;; ANSWER SECTION:
com.80375   IN  DNSKEY  257 3 8
AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsB
fKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEm
u/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPN
IwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0H
XvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh
2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpK Nnv4oPo/
com.80375   IN  DNSKEY  256 3 8
AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sD
ROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPi
Msbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgn
ttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM=
com.80375   IN  RRSIG   DNSKEY 8 1 86400
20201206192421 20201121191921 30909 com.
K3w8cixeKqKbELJMyFynhuA+1oQYbLNSZhZ1NcSofx+ND3ImYoQ4rodY
uZokFmKvJkZvrBMSF0tfwWLYbyX+Xw2Fb//KKDD6gluN/evmoH3xv/XC
j4WFRUwF1L5jPjeylY233GzQN2RVHDFFpsdczcGwNp2BqyBMXHe2Lv+1
kOeTfEoA/XJdZSEMlo3V0xq6sxB9747wRfHm17ockLIHtWMI8eSyIO92
nTQj2WZninySf6N8yb5tGUu0ABoXlVF6fc9INybFNTZg7gF85hfCtjK4
Ko6W97d1CW5AyvGprYtJgNQDqzqoP7qkvFI4oSRDZJITwamhci90hBMv cXZDWA==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 22 21:55:12 CST 2020
;; MSG SIZE  rcvd: 805



3. DS Record for facebook.com

#dig @127.0.0.1 DS facebook.com +dnssec

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 DS facebook.com +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46111
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: ccfca253df729ea801005fbb331e11884fb6d63208e5 (good)
;; QUESTION SECTION:
;facebook.com.  IN  DS

;; AUTHORITY SECTION:
com.882 IN  SOA a.gtld-servers.net.
nstld.verisign-grs.com. 1606103797 1800 900 604800 86400
com.882 IN  RRSIG   SOA 8 1 900 20201130035637
20201123024637 31510 com.
CGHfYUjxwqYzK47ZkmMbdc7EVOnRYIjznaXmlMUphkxmWaw94HPio88H
U8kUx3H1wd3h9Ahtgsk74ctwILFBiUH2SHtQZ7HYJvRAZBv5+JvxSH54
aKLMOJWBoeS2M9UFeUcoC/IAkgyOG/4sfkz0W4hdV6vsgZsTLCoGjXnj
kQu1W/d6b7SttLX0pMg6OIwEXJbGlWnRIycaBt19tFmm6A==
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 882 IN RRSIG NSEC3 8 2 86400
20201129054027 20201122043027 31510 com.
kZw7h9mbKgXQ2YhIp+jKmg5xOUmZq7HPGRTZ2ERwIA5FjOBIkEWqWHga
SZhV/78SqH26QbwCXQnf0Hv7xzMdVwYOr7FwDE+7a//cL8yRe5pBd5Bb
y1QORmqRT8kTshhedhwyxjzk4TxcN8M0/JqiDUhb6iHacDFqqwIhm13l
Wy0xjM5nojLmY/fYuH/mKSsz5XlfEKGqG5q1FbZUZWhj3Q==
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 882 IN NSEC3 1 1 0 -
CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
I28FT380NFMJ3TJ970NBAD0HSSK1LEOK.com. 882 IN RRSIG NSEC3 8 2 86400
20201127071904 20201120060904 31510 com.
VuV00I8jZMAbQmVLBub0Yfk5eEng8NkCFrPCvK/19YpzEzkWKPpOVcya
xZqYZzAVBhSP/n2/kcC8tkDMFZHL8rbGAg/jPpJCAhp2Tszhc8pzqKtZ
CmFMZtO8HQGx1ZjCGpzHZ+6/5irvE7NJrkndTmoOd/1RfS/WeZseAkCb
204Td7fE0C5D/8oGRb81vFICH2IjnykeoEguPvWLXnWfqw==
I28FT380NFMJ3TJ970NBAD0HSSK1LEOK.com. 882 IN NSEC3 1 1 0 -
I28GLTLV5D2H16BES4T7GHH4AABNFOB0 NS DS RRSIG

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 22 21:57:18 CST 2020
;; MSG SIZE  rcvd: 889


Thank you for that information Mark. I appreciate it. It looks like it's

Re: Servfail on Bind -9.16.1

[Mark Andrews]

> On 23 Nov 2020, at 13:37, upen  wrote:
> 
> Hi Mark and everyone,
> 
> Thank you for continuing to help me.
> I have set DNS validation to auto from no and restarted the  bind9 service.
> 
> # egrep dnssec-validation /etc/bind/named.conf.options
> dnssec-validation auto;
> 
> #dig +dnssec +cd dnskey .
> ; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec +cd dnskey .
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30138
> ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; COOKIE: 4c28af06251e4b5101005fbb1b1fa619c694e6bff1b4 (good)
> ;; QUESTION SECTION:
> ;.  IN  DNSKEY
> 
> ;; ANSWER SECTION:
> .   172780  IN  DNSKEY  256 3 8 
> AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi 
> obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C 
> sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL 
> QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 
> 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE 
> hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8=
> .   172780  IN  DNSKEY  257 3 8 
> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 
> +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv 
> ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 
> 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e 
> oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd 
> RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
> .   172780  IN  RRSIG   DNSKEY 8 0 172800 
> 2020121100 2020112000 20326 . 
> eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb 
> l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx 
> uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 
> zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK 
> Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN 
> J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw==
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sun Nov 22 20:14:55 CST 2020
> ;; MSG SIZE  rcvd: 893

so it looks like you are correctly able to validate the root’s DNSKEY records 
(‘ad’ is set in flags).
Next look at the next delegation to COM.  The DS record for COM should look 
like this

[beetle:bin/tests/system] marka% dig DS com +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.15.4 <<>> DS com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4356
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 5b7d57a994cac97701005fbb2bcb06affb16b27b98ff (good)
;; QUESTION SECTION:
;com.   IN  DS

;; ANSWER SECTION:
com.33649   IN  DS  30909 8 2 
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.33649   IN  RRSIG   DS 8 1 86400 2020120505 
2020112204 26116 . lYnjXIlENOzhY5t94JrTnNjkRxfaIvfhfwrxC4KQbVgGIbqfxRqjGlIu 
8JIHQaKoIfxXqP93MNhkKvFhOK3t/hYGvQEND/A7x+ktC+0uQFvF0CvE 
p3qRwQ0HuwR8OSXyS07AjZWTjSUXKqI8/bctkx7CegJtn8uk872tdqEF 
dnWZT6Tvqtt2NrveR5baSdHybrmoftbCDxndfRKOv/pjcpe0Qy7EDXWQ 
YL4I9qPtA5+GdxUWvBTWDXCrYKWxfoj6S5L+kPproaiGCABq7XalJIt8 
RdbBCkCANipsmBXAv61vy3BEyuJEjQqFxzi+MleJfxRSkaljIXd8A/d4 UM7sRg==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 23 14:26:03 AEDT 2020
;; MSG SIZE  rcvd: 395

[beetle:bin/tests/system] marka% 

and the DNSKEY records for COM should look like this

[beetle:bin/tests/system] marka% dig DNSKEY com +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.15.4 <<>> DNSKEY com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25522
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 3ebc796c874b8ce901005fbb2c17cd6a9d9d8b8a5977 (good)
;; QUESTION SECTION:
;com.   IN  DNSKEY

;; ANSWER SECTION:
com.33656   IN  DNSKEY  256 3 8 
AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sD 
ROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPi 
Msbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgn 
ttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM=
com.33656   IN  DNSKEY  257 3 8 
AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsB 
fKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEm 
u/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPN 
IwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0H 
XvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh 
2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpK Nnv4oPo/
com.33656   IN  RRSIG   DNSKEY 8 1 

Re: Servfail on Bind -9.16.1

[upen]

Hi Mark and everyone,

Thank you for continuing to help me.
I have set DNS validation to auto from no and restarted the  bind9 service.

# egrep dnssec-validation /etc/bind/named.conf.options
dnssec-validation auto;

#dig +dnssec +cd dnskey .
; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec +cd dnskey .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30138
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 4c28af06251e4b5101005fbb1b1fa619c694e6bff1b4 (good)
;; QUESTION SECTION:
;.  IN  DNSKEY

;; ANSWER SECTION:
.   172780  IN  DNSKEY  256 3 8
AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi
obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C
sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL
QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm
8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE
hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8=
.   172780  IN  DNSKEY  257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
.   172780  IN  RRSIG   DNSKEY 8 0 172800
2020121100 2020112000 20326 .
eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb
l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx
uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6
zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK
Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN
J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 22 20:14:55 CST 2020
;; MSG SIZE  rcvd: 893


The root zone is not forwarded and the file is located at
#ls -al /usr/share/dns/root.hints*
-rw-r--r-- 1 root root 3311 May 29  2019 /usr/share/dns/root.hints
-rw-r--r-- 1 root root   72 May 29  2019 /usr/share/dns/root.hints.sig

Contents of the root.hints file are pasted at https://dpaste.com/EWKCX34NQ
. File is provided with OS package -> dns-root-data  (Description:
2019052802  DNS root data including root zone and DNSSEC key)

Additional files provided by that package
#dpkg-query -L dns-root-data
/.
/usr
/usr/share
/usr/share/dns
/usr/share/dns/root.ds
/usr/share/dns/root.hints
/usr/share/dns/root.hints.sig
/usr/share/dns/root.key
/usr/share/doc
/usr/share/doc/dns-root-data
/usr/share/doc/dns-root-data/changelog.gz
/usr/share/doc/dns-root-data/copyright

Not sure what changed here, I am getting results now even after the
"dnssec-validation" set to auto. Really puzzled

#dig @127.0.0.1  +dnssec +cd dnskey www.facebook.com

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 +dnssec +cd dnskey www.facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19781
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 028fb4fde9f61d5301005fbb1fcca2b3cd29887d7e13 (good)
;; QUESTION SECTION:
;www.facebook.com.  IN  DNSKEY

;; ANSWER SECTION:
www.facebook.com.   2395IN  CNAME   star-mini.c10r.facebook.com.

;; AUTHORITY SECTION:
c10r.facebook.com.  216 IN  SOA a.ns.c10r.facebook.com.
dns.facebook.com. 1606098709 300 600 600 300

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 22 20:34:52 CST 2020
;; MSG SIZE  rcvd: 176


Thank you,
Upen




On Sun, Nov 22, 2020 at 5:47 PM Mark Andrews  wrote:

> Ok.  Lets start by debugging this from the trust anchor downwards.
> Lets see what "dig +dnssec +cd dnskey .” returns.  It should return
> something like below with 2 DNSKEY records and a RRSIG for the DNSKEY.
> The RRSIG is regenerated daily so it will likely differ.  The DNSKEY
> records should be a exact match.  In this case flags contains ‘ad’ which
> means that the RRset has previously been validated.
>
> [beetle:~/git/bind9] marka% dig +dnssec +cd dnskey .
> ;; BADCOOKIE, retrying.
>
> ; <<>> DiG 9.15.4 <<>> +dnssec +cd dnskey .
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12403
> ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; COOKIE: f182281b307ab59a01005fbaf21fcdc7ab7803361e3c (good)
> ;; QUESTION SECTION:
> ;.  IN  DNSKEY
>
> ;; ANSWER SECTION:
> .   134751  IN  DNSKEY  257 3 8
> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3

Re: Servfail on Bind -9.16.1

[Mark Andrews]

Ok.  Lets start by debugging this from the trust anchor downwards.
Lets see what "dig +dnssec +cd dnskey .” returns.  It should return
something like below with 2 DNSKEY records and a RRSIG for the DNSKEY.
The RRSIG is regenerated daily so it will likely differ.  The DNSKEY
records should be a exact match.  In this case flags contains ‘ad’ which
means that the RRset has previously been validated.

[beetle:~/git/bind9] marka% dig +dnssec +cd dnskey .
;; BADCOOKIE, retrying.

; <<>> DiG 9.15.4 <<>> +dnssec +cd dnskey .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12403
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: f182281b307ab59a01005fbaf21fcdc7ab7803361e3c (good)
;; QUESTION SECTION:
;.  IN  DNSKEY

;; ANSWER SECTION:
.   134751  IN  DNSKEY  257 3 8 
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv 
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e 
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd 
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
.   134751  IN  DNSKEY  256 3 8 
AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi 
obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C 
sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL 
QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 
8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE 
hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8=
.   134751  IN  RRSIG   DNSKEY 8 0 172800 
2020121100 2020112000 20326 . 
eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb 
l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx 
uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 
zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK 
Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN 
J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 23 10:19:59 AEDT 2020
;; MSG SIZE  rcvd: 893

[beetle:~/git/bind9] marka% 

If you don’t get answer like this then we need to work out why.

Do you have a local copy of the root zone?  If so is from IANA
or from somewhere else?

Are you forwarding the root zone? If so what do ALL the forwarders
return for "dig +dnssec +cd dnskey . @” where  is
replace by the IP address for each server.  If you are forwarding is
is forward “first” or “only”?

Mark

> On 22 Nov 2020, at 08:20, upen  wrote:
> 
> Hello Ananad, and all,
> 
> >www.facebook.com
> $ dig @127.0.0.1 -t A www.facebook.com
> 
> ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: a18d9ed2a6d1bcd601005fb982763dfdafed174d4ef1 (good)
> ;; QUESTION SECTION:
> ;www.facebook.com.  IN  A
> 
> ;; Query time: 4 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Nov 21 15:11:18 CST 2020
> ;; MSG SIZE  rcvd: 73
> 
> >  Your instance of BIND is probably logging to syslog. Look for these logs
> > (usually /var/log/messages), and see what BIND is logging. It may shed a
> > light on the problem.  
> 
> Thank you. I enabled logging and when I grep for www.facebook.com , I notice 
> the following output from four different log files named.
> 
> debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0 
> 127.0.0.1#33706 (www.facebook.com): query: www.facebook.com IN A +E(0)K 
> (127.0.0.1)
> default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 
> (www.facebook.com): query failed (broken trust chain) for 
> www.facebook.com/IN/A at query.c:6883
> dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad 
> cache hit (com/DS)
> lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving 
> 'www.facebook.com/A/IN': 129.134.31.12#53
> 
> 
> Before running this query I also added dnssec-validation auto; to the options 
> file and restarted the bind9 service. It's pointing to a broken trust chain 
> which I am unsure how to resolve.
> 
> Thanks,
> Upen
> 
> 
> On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev  wrote:
> On 21/11/2020 21:53, upen wrote:
> 
> Hi Upen,
> 
> > Could you someone guide me to troubleshoot this further? Thank you for the
> > list.
> 
> Your instance of BIND is probably logging to syslog. Look for these logs
> (usually /var/log/messages), and see what BIND is logging. It may shed a
> light on the problem.
> 
> Regards,
> Anand
> 

Re: Servfail on Bind -9.16.1

[upen]

On Sun, Nov 22, 2020 at 9:35 AM Matus UHLAR - fantomas 
wrote:

> >On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez 
> >wrote:
>
> >> Also, just for testing. Similar happened to me. Try with
> >> ‘dnssec-validation no;’
>
> On 22.11.20 09:05, upen wrote:
> >Thank you Ismael, you are right .
> >The resolution worked after setting ^^^
> >
> >So to answer Julien also I believe +nodnsdec in the dig would have helped
> >with resolution.
> >
> >So validation is not working it seems . What could be reason for that? Is
> >something wrong on my configuration or network that the dnssec validation
> >can not be used in my configuration.
>
> it's possible that your provider does DNS hijacking.
> DNS over TLS or DNS over HTTPS could help verify that.




Thank you Matus. So this is inside a university network and on a server .
May be the network people do some dns interceptions . I did upload a link
to packet capture which may shed some light on if they do indeed hijack.

But from your reply it sounds like this behavior with auto is not expected
and things should work for those domains so definitely something to check
in my network , configuration end of things.

Thank you
Upen

>
>
>
> >I can set to auto again and run dig +trace if that will help
> >troubleshooting further why validation may not be working. I’m unsure if
> >this is expected or something could be wrong somewhere on my end /network
> .
>
> >> From: bind-users  on behalf of julien
> >> soula 
> >> Sent: Sunday, November 22, 2020 9:31:56 AM
> >> To: upen 
> >> Cc: bind-users@lists.isc.org ; BIND Users <
> >> bind-us...@isc.org>
> >> Subject: Re: Servfail on Bind -9.16.1
> >>
> >> On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
> >> > .../...
> >> > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0
> >> 127.0.0.1#33706
> >> > (www.facebook.com<http://www.facebook.com>): query failed (broken
> trust
> >> chain) for
> >> > www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883
> >> > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME
> :<
> >> http://www.facebook.com/CNAME:> bad
> >> > cache hit (com/DS)
> >> > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain
> resolving '
> >> > www.facebook.com/A/IN':<http://www.facebook.com/A/IN':>
> 129.134.31.12#53
> >>
> >> it seems to be an error in dnssec. So I suppose that "dig +nodnssec
> >> " works.
> >>
> >> May be "dig +trace facebook.com" will give you more hints.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> It's now safe to throw off your computer.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
upen,
emerge -uD life (Upgrade Life with dependencies)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Servfail on Bind -9.16.1

[Matus UHLAR - fantomas]

On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez 
wrote:



Also, just for testing. Similar happened to me. Try with
‘dnssec-validation no;’


On 22.11.20 09:05, upen wrote:

Thank you Ismael, you are right .
The resolution worked after setting ^^^

So to answer Julien also I believe +nodnsdec in the dig would have helped
with resolution.

So validation is not working it seems . What could be reason for that? Is
something wrong on my configuration or network that the dnssec validation
can not be used in my configuration.


it's possible that your provider does DNS hijacking.
DNS over TLS or DNS over HTTPS could help verify that.



I can set to auto again and run dig +trace if that will help
troubleshooting further why validation may not be working. I’m unsure if
this is expected or something could be wrong somewhere on my end /network .



From: bind-users  on behalf of julien
soula 
Sent: Sunday, November 22, 2020 9:31:56 AM
To: upen 
Cc: bind-users@lists.isc.org ; BIND Users <
bind-us...@isc.org>
Subject: Re: Servfail on Bind -9.16.1

On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
> .../...
> default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0
127.0.0.1#33706
> (www.facebook.com<http://www.facebook.com>): query failed (broken trust
chain) for
> www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883
> dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME:<
http://www.facebook.com/CNAME:> bad
> cache hit (com/DS)
> lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
> www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> 129.134.31.12#53

it seems to be an error in dnssec. So I suppose that "dig +nodnssec
" works.

May be "dig +trace facebook.com" will give you more hints.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Servfail on Bind -9.16.1

[upen]

On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez 
wrote:

> Also, just for testing. Similar happened to me. Try with
> ‘dnssec-validation no;’


Thank you Ismael, you are right .
The resolution worked after setting ^^^

So to answer Julien also I believe +nodnsdec in the dig would have helped
with resolution.

So validation is not working it seems . What could be reason for that? Is
something wrong on my configuration or network that the dnssec validation
can not be used in my configuration.

I can set to auto again and run dig +trace if that will help
troubleshooting further why validation may not be working. I’m unsure if
this is expected or something could be wrong somewhere on my end /network .

Thank you again everyone ,
Ups








> 
> From: bind-users  on behalf of julien
> soula 
> Sent: Sunday, November 22, 2020 9:31:56 AM
> To: upen 
> Cc: bind-users@lists.isc.org ; BIND Users <
> bind-us...@isc.org>
> Subject: Re: Servfail on Bind -9.16.1
>
> On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
> > .../...
> > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0
> 127.0.0.1#33706
> > (www.facebook.com<http://www.facebook.com>): query failed (broken trust
> chain) for
> > www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883
> > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME:<
> http://www.facebook.com/CNAME:> bad
> > cache hit (com/DS)
> > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
> > www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> 129.134.31.12#53
>
> it seems to be an error in dnssec. So I suppose that "dig +nodnssec
> " works.
>
> May be "dig +trace facebook.com" will give you more hints.
>
> sincerly,
> --
> Julien
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
upen,
emerge -uD life (Upgrade Life with dependencies)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Servfail on Bind -9.16.1

[Ismael Suarez]

Also, just for testing. Similar happened to me. Try with ‘dnssec-validation no;’

From: bind-users  on behalf of julien soula 

Sent: Sunday, November 22, 2020 9:31:56 AM
To: upen 
Cc: bind-users@lists.isc.org ; BIND Users 

Subject: Re: Servfail on Bind -9.16.1

On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
> .../...
> default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706
> (www.facebook.com<http://www.facebook.com>): query failed (broken trust 
> chain) for
> www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883
> dnssec.log:21-Nov-2020 15:11:18.008 validating 
> www.facebook.com/CNAME:<http://www.facebook.com/CNAME:> bad
> cache hit (com/DS)
> lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
> www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> 129.134.31.12#53

it seems to be an error in dnssec. So I suppose that "dig +nodnssec
" works.

May be "dig +trace facebook.com" will give you more hints.

sincerly,
--
Julien
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Servfail on Bind -9.16.1

[julien soula]

On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
> .../...
> default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706
> (www.facebook.com): query failed (broken trust chain) for
> www.facebook.com/IN/A at query.c:6883
> dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad
> cache hit (com/DS)
> lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
> www.facebook.com/A/IN': 129.134.31.12#53

it seems to be an error in dnssec. So I suppose that "dig +nodnssec
" works.

May be "dig +trace facebook.com" will give you more hints.

sincerly,
-- 
Julien
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Servfail on Bind -9.16.1

[upen]

On Sat, Nov 21, 2020 at 3:45 PM Fred Morris  wrote:

> Check your clock. Have you got NTP turned on? Is it working? If it's not,
> flush cache/restart before you test again.
>
> Thank you Fred,
Checked the time service , It's synced unless I am missing something.

timedatectl timesync-status
   Server: 91.189.89.198 (ntp.ubuntu.com)
Poll interval: 4min 16s (min: 32s; max 34min 8s)
 Leap: normal
  Version: 4
  Stratum: 2
Reference: 91EECB0E
Precision: 1us (-23)
Root distance: 40.389ms (max: 5s)
   Offset: -4.216ms
Delay: 88.989ms
   Jitter: 6.149ms
 Packet count: 4
Frequency: +49.968ppm

Thank you,
Upen
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Servfail on Bind -9.16.1

[Fred Morris]

Check your clock. Have you got NTP turned on? Is it working? If it's not, 
flush cache/restart before you test again.


--

Fred Morris

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Servfail on Bind -9.16.1

[upen]

>packet capture (at a later point)
https://dpaste.com/6FYQ4986D
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Servfail on Bind -9.16.1

[upen]

Hello Ananad, and all,

>www.facebook.com
$ dig @127.0.0.1 -t A www.facebook.com

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: a18d9ed2a6d1bcd601005fb982763dfdafed174d4ef1 (good)
;; QUESTION SECTION:
;www.facebook.com.  IN  A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 21 15:11:18 CST 2020
;; MSG SIZE  rcvd: 73

>  Your instance of BIND is probably logging to syslog. Look for these logs
> (usually /var/log/messages), and see what BIND is logging. It may shed a
> light on the problem.

Thank you. I enabled logging and when I grep for www.facebook.com , I
notice the following output from four different log files named.

debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0
127.0.0.1#33706 (www.facebook.com): query: www.facebook.com IN A +E(0)K
(127.0.0.1)
default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706
(www.facebook.com): query failed (broken trust chain) for
www.facebook.com/IN/A at query.c:6883
dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad
cache hit (com/DS)
lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
www.facebook.com/A/IN': 129.134.31.12#53


Before running this query I also added dnssec-validation auto; to the
options file and restarted the bind9 service. It's pointing to a broken
trust chain which I am unsure how to resolve.

Thanks,
Upen


On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev  wrote:

> On 21/11/2020 21:53, upen wrote:
>
> Hi Upen,
>
> > Could you someone guide me to troubleshoot this further? Thank you for
> the
> > list.
>
> Your instance of BIND is probably logging to syslog. Look for these logs
> (usually /var/log/messages), and see what BIND is logging. It may shed a
> light on the problem.
>
> Regards,
> Anand
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
upen,
emerge -uD life (Upgrade Life with dependencies)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Servfail on Bind -9.16.1

[Anand Buddhdev]

On 21/11/2020 21:53, upen wrote:

Hi Upen,

> Could you someone guide me to troubleshoot this further? Thank you for the
> list.

Your instance of BIND is probably logging to syslog. Look for these logs
(usually /var/log/messages), and see what BIND is logging. It may shed a
light on the problem.

Regards,
Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Servfail on Bind -9.16.1

[alcol alcol]

are not FQDN ...

maybe www.facebook.com<http://www.facebook.com> not only facebook.com
only facebook.com could be referenced with an A record but maybe not

www.facebook.com<http://www.facebook.com> is a right query




From: bind-users  on behalf of upen 

Sent: Saturday, November 21, 2020 9:53 PM
To: bind-users@lists.isc.org 
Subject: Servfail on Bind -9.16.1

Hello,
I just installed a simple caching Bind9 using the package provided by Ubuntu 
20.04(64bit) OS.

I am not able to look up domains successfully and getting SERVFAILs

$ dig @127.0.0.1<http://127.0.0.1> -t A facebook.com<http://facebook.com>

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1<http://127.0.0.1> -t A 
facebook.com<http://facebook.com>
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53918
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: fed86438ea8e1ae001005fb97d690fedfa8d92731165 (good)
;; QUESTION SECTION:
;facebook.com<http://facebook.com>.  IN  A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 21 14:49:45 CST 2020
;; MSG SIZE  rcvd: 69

$ dig @127.0.0.1<http://127.0.0.1> -t A yahoo.com<http://yahoo.com>

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1<http://127.0.0.1> -t A 
yahoo.com<http://yahoo.com>
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20121
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: dc35adc3d416442701005fb97d6d9b599c886356e697 (good)
;; QUESTION SECTION:
;yahoo.com<http://yahoo.com>. IN  A

;; Query time: 224 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 21 14:49:49 CST 2020
;; MSG SIZE  rcvd: 66


# cat /etc/bind/named.conf.options
acl whitelist {
127.0.0.1;
localhost;
};

options {
directory "/var/cache/bind";
recursion yes;
allow-query { whitelist; };
allow-recursion { whitelist ; };
querylog yes;
};

# ps -ef | grep named
bind3260   1  0 14:31 ?00:00:00 /usr/sbin/named -f -4 -u 
bind

Could you someone guide me to troubleshoot this further? Thank you for the list.

Thanks,
Upen
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Servfail on Bind -9.16.1

[upen]

Hello,
I just installed a simple caching Bind9 using the package provided by
Ubuntu 20.04(64bit) OS.

I am not able to look up domains successfully and getting SERVFAILs

$ dig @127.0.0.1 -t A facebook.com

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53918
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: fed86438ea8e1ae001005fb97d690fedfa8d92731165 (good)
;; QUESTION SECTION:
;facebook.com.  IN  A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 21 14:49:45 CST 2020
;; MSG SIZE  rcvd: 69

$ dig @127.0.0.1 -t A yahoo.com

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A yahoo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20121
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: dc35adc3d416442701005fb97d6d9b599c886356e697 (good)
;; QUESTION SECTION:
;yahoo.com. IN  A

;; Query time: 224 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 21 14:49:49 CST 2020
;; MSG SIZE  rcvd: 66


# cat /etc/bind/named.conf.options
acl whitelist {
127.0.0.1;
localhost;
};

options {
directory "/var/cache/bind";
recursion yes;
allow-query { whitelist; };
allow-recursion { whitelist ; };
querylog yes;
};

# ps -ef | grep named
bind3260   1  0 14:31 ?00:00:00 /usr/sbin/named -f -4
-u bind

Could you someone guide me to troubleshoot this further? Thank you for the
list.

Thanks,
Upen
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users