Re: Servfail on Bind -9.16.1
Hello, Thank you. 1. DS record for com #dig DS com +dnssec ; <<>> DiG 9.16.1-Ubuntu <<>> DS com +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14029 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: fdfd77fc04700d7201005fbb323fa7e65af53e803915 (good) ;; QUESTION SECTION: ;com. IN DS ;; ANSWER SECTION: com.80472 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com.80472 IN RRSIG DS 8 1 86400 2020120517 2020112216 26116 . fu2mVhKX9+oDAx9T8LrIyli5yTBk28mCDw8SbAuIFKuRhGI8QiOgchEZ 0KzSaSpfBHpgVoq6mN8WFHeSPhPeZ5EOMbXvMjv9nvHNVKylu4C5mSRt nWuoVXU531uYFEtuqJgcCoNBsiIznbq/3GkAZeYkc8pj/Hkma/p0/QYh Lb1Mz/lW4SJNc03Kw0jDNw6Z2C1XGvDG3iHeJ6CFrZrvp7U41qDNqZEm NT7T7/JXoUdy6evi6LCLXtZ4QAqKv5HReDRlVTkmAWVnQw+PtJ75nvCV 4pP3jp5ih70OSCQx3iB7xJ/8GtWiI5DvD9fmlbX8CRNu12sKX1/e/Lxd Ph1JXw== ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Nov 22 21:53:35 CST 2020 ;; MSG SIZE rcvd: 395 2. DNSSEC KEY for com #dig DNSKEY com +dnssec ; <<>> DiG 9.16.1-Ubuntu <<>> DNSKEY com +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4992 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: dc1c3f1a640d17b001005fbb32a0c7fadb271d47476e (good) ;; QUESTION SECTION: ;com. IN DNSKEY ;; ANSWER SECTION: com.80375 IN DNSKEY 257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsB fKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEm u/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPN IwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0H XvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh 2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpK Nnv4oPo/ com.80375 IN DNSKEY 256 3 8 AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sD ROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPi Msbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgn ttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM= com.80375 IN RRSIG DNSKEY 8 1 86400 20201206192421 20201121191921 30909 com. K3w8cixeKqKbELJMyFynhuA+1oQYbLNSZhZ1NcSofx+ND3ImYoQ4rodY uZokFmKvJkZvrBMSF0tfwWLYbyX+Xw2Fb//KKDD6gluN/evmoH3xv/XC j4WFRUwF1L5jPjeylY233GzQN2RVHDFFpsdczcGwNp2BqyBMXHe2Lv+1 kOeTfEoA/XJdZSEMlo3V0xq6sxB9747wRfHm17ockLIHtWMI8eSyIO92 nTQj2WZninySf6N8yb5tGUu0ABoXlVF6fc9INybFNTZg7gF85hfCtjK4 Ko6W97d1CW5AyvGprYtJgNQDqzqoP7qkvFI4oSRDZJITwamhci90hBMv cXZDWA== ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Nov 22 21:55:12 CST 2020 ;; MSG SIZE rcvd: 805 3. DS Record for facebook.com #dig @127.0.0.1 DS facebook.com +dnssec ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 DS facebook.com +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46111 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: ccfca253df729ea801005fbb331e11884fb6d63208e5 (good) ;; QUESTION SECTION: ;facebook.com. IN DS ;; AUTHORITY SECTION: com.882 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1606103797 1800 900 604800 86400 com.882 IN RRSIG SOA 8 1 900 20201130035637 20201123024637 31510 com. CGHfYUjxwqYzK47ZkmMbdc7EVOnRYIjznaXmlMUphkxmWaw94HPio88H U8kUx3H1wd3h9Ahtgsk74ctwILFBiUH2SHtQZ7HYJvRAZBv5+JvxSH54 aKLMOJWBoeS2M9UFeUcoC/IAkgyOG/4sfkz0W4hdV6vsgZsTLCoGjXnj kQu1W/d6b7SttLX0pMg6OIwEXJbGlWnRIycaBt19tFmm6A== CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 882 IN RRSIG NSEC3 8 2 86400 20201129054027 20201122043027 31510 com. kZw7h9mbKgXQ2YhIp+jKmg5xOUmZq7HPGRTZ2ERwIA5FjOBIkEWqWHga SZhV/78SqH26QbwCXQnf0Hv7xzMdVwYOr7FwDE+7a//cL8yRe5pBd5Bb y1QORmqRT8kTshhedhwyxjzk4TxcN8M0/JqiDUhb6iHacDFqqwIhm13l Wy0xjM5nojLmY/fYuH/mKSsz5XlfEKGqG5q1FbZUZWhj3Q== CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 882 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM I28FT380NFMJ3TJ970NBAD0HSSK1LEOK.com. 882 IN RRSIG NSEC3 8 2 86400 20201127071904 20201120060904 31510 com. VuV00I8jZMAbQmVLBub0Yfk5eEng8NkCFrPCvK/19YpzEzkWKPpOVcya xZqYZzAVBhSP/n2/kcC8tkDMFZHL8rbGAg/jPpJCAhp2Tszhc8pzqKtZ CmFMZtO8HQGx1ZjCGpzHZ+6/5irvE7NJrkndTmoOd/1RfS/WeZseAkCb 204Td7fE0C5D/8oGRb81vFICH2IjnykeoEguPvWLXnWfqw== I28FT380NFMJ3TJ970NBAD0HSSK1LEOK.com. 882 IN NSEC3 1 1 0 - I28GLTLV5D2H16BES4T7GHH4AABNFOB0 NS DS RRSIG ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Nov 22 21:57:18 CST 2020 ;; MSG SIZE rcvd: 889 Thank you for that information Mark. I appreciate it. It looks like it's
Re: Servfail on Bind -9.16.1
> On 23 Nov 2020, at 13:37, upen wrote: > > Hi Mark and everyone, > > Thank you for continuing to help me. > I have set DNS validation to auto from no and restarted the bind9 service. > > # egrep dnssec-validation /etc/bind/named.conf.options > dnssec-validation auto; > > #dig +dnssec +cd dnskey . > ; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec +cd dnskey . > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30138 > ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ; COOKIE: 4c28af06251e4b5101005fbb1b1fa619c694e6bff1b4 (good) > ;; QUESTION SECTION: > ;. IN DNSKEY > > ;; ANSWER SECTION: > . 172780 IN DNSKEY 256 3 8 > AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi > obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C > sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL > QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm > 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE > hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8= > . 172780 IN DNSKEY 257 3 8 > AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 > +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv > ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF > 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e > oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd > RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= > . 172780 IN RRSIG DNSKEY 8 0 172800 > 2020121100 2020112000 20326 . > eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb > l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx > uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 > zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK > Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN > J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw== > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Sun Nov 22 20:14:55 CST 2020 > ;; MSG SIZE rcvd: 893 so it looks like you are correctly able to validate the root’s DNSKEY records (‘ad’ is set in flags). Next look at the next delegation to COM. The DS record for COM should look like this [beetle:bin/tests/system] marka% dig DS com +dnssec ;; BADCOOKIE, retrying. ; <<>> DiG 9.15.4 <<>> DS com +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4356 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 5b7d57a994cac97701005fbb2bcb06affb16b27b98ff (good) ;; QUESTION SECTION: ;com. IN DS ;; ANSWER SECTION: com.33649 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com.33649 IN RRSIG DS 8 1 86400 2020120505 2020112204 26116 . lYnjXIlENOzhY5t94JrTnNjkRxfaIvfhfwrxC4KQbVgGIbqfxRqjGlIu 8JIHQaKoIfxXqP93MNhkKvFhOK3t/hYGvQEND/A7x+ktC+0uQFvF0CvE p3qRwQ0HuwR8OSXyS07AjZWTjSUXKqI8/bctkx7CegJtn8uk872tdqEF dnWZT6Tvqtt2NrveR5baSdHybrmoftbCDxndfRKOv/pjcpe0Qy7EDXWQ YL4I9qPtA5+GdxUWvBTWDXCrYKWxfoj6S5L+kPproaiGCABq7XalJIt8 RdbBCkCANipsmBXAv61vy3BEyuJEjQqFxzi+MleJfxRSkaljIXd8A/d4 UM7sRg== ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Nov 23 14:26:03 AEDT 2020 ;; MSG SIZE rcvd: 395 [beetle:bin/tests/system] marka% and the DNSKEY records for COM should look like this [beetle:bin/tests/system] marka% dig DNSKEY com +dnssec ;; BADCOOKIE, retrying. ; <<>> DiG 9.15.4 <<>> DNSKEY com +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25522 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 3ebc796c874b8ce901005fbb2c17cd6a9d9d8b8a5977 (good) ;; QUESTION SECTION: ;com. IN DNSKEY ;; ANSWER SECTION: com.33656 IN DNSKEY 256 3 8 AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sD ROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPi Msbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgn ttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM= com.33656 IN DNSKEY 257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsB fKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEm u/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPN IwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0H XvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh 2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpK Nnv4oPo/ com.33656 IN RRSIG DNSKEY 8 1
Re: Servfail on Bind -9.16.1
Hi Mark and everyone, Thank you for continuing to help me. I have set DNS validation to auto from no and restarted the bind9 service. # egrep dnssec-validation /etc/bind/named.conf.options dnssec-validation auto; #dig +dnssec +cd dnskey . ; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec +cd dnskey . ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30138 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 4c28af06251e4b5101005fbb1b1fa619c694e6bff1b4 (good) ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 172780 IN DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8= . 172780 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= . 172780 IN RRSIG DNSKEY 8 0 172800 2020121100 2020112000 20326 . eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw== ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Nov 22 20:14:55 CST 2020 ;; MSG SIZE rcvd: 893 The root zone is not forwarded and the file is located at #ls -al /usr/share/dns/root.hints* -rw-r--r-- 1 root root 3311 May 29 2019 /usr/share/dns/root.hints -rw-r--r-- 1 root root 72 May 29 2019 /usr/share/dns/root.hints.sig Contents of the root.hints file are pasted at https://dpaste.com/EWKCX34NQ . File is provided with OS package -> dns-root-data (Description: 2019052802 DNS root data including root zone and DNSSEC key) Additional files provided by that package #dpkg-query -L dns-root-data /. /usr /usr/share /usr/share/dns /usr/share/dns/root.ds /usr/share/dns/root.hints /usr/share/dns/root.hints.sig /usr/share/dns/root.key /usr/share/doc /usr/share/doc/dns-root-data /usr/share/doc/dns-root-data/changelog.gz /usr/share/doc/dns-root-data/copyright Not sure what changed here, I am getting results now even after the "dnssec-validation" set to auto. Really puzzled #dig @127.0.0.1 +dnssec +cd dnskey www.facebook.com ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 +dnssec +cd dnskey www.facebook.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19781 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 028fb4fde9f61d5301005fbb1fcca2b3cd29887d7e13 (good) ;; QUESTION SECTION: ;www.facebook.com. IN DNSKEY ;; ANSWER SECTION: www.facebook.com. 2395IN CNAME star-mini.c10r.facebook.com. ;; AUTHORITY SECTION: c10r.facebook.com. 216 IN SOA a.ns.c10r.facebook.com. dns.facebook.com. 1606098709 300 600 600 300 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Nov 22 20:34:52 CST 2020 ;; MSG SIZE rcvd: 176 Thank you, Upen On Sun, Nov 22, 2020 at 5:47 PM Mark Andrews wrote: > Ok. Lets start by debugging this from the trust anchor downwards. > Lets see what "dig +dnssec +cd dnskey .” returns. It should return > something like below with 2 DNSKEY records and a RRSIG for the DNSKEY. > The RRSIG is regenerated daily so it will likely differ. The DNSKEY > records should be a exact match. In this case flags contains ‘ad’ which > means that the RRset has previously been validated. > > [beetle:~/git/bind9] marka% dig +dnssec +cd dnskey . > ;; BADCOOKIE, retrying. > > ; <<>> DiG 9.15.4 <<>> +dnssec +cd dnskey . > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12403 > ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ; COOKIE: f182281b307ab59a01005fbaf21fcdc7ab7803361e3c (good) > ;; QUESTION SECTION: > ;. IN DNSKEY > > ;; ANSWER SECTION: > . 134751 IN DNSKEY 257 3 8 > AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
Re: Servfail on Bind -9.16.1
Ok. Lets start by debugging this from the trust anchor downwards. Lets see what "dig +dnssec +cd dnskey .” returns. It should return something like below with 2 DNSKEY records and a RRSIG for the DNSKEY. The RRSIG is regenerated daily so it will likely differ. The DNSKEY records should be a exact match. In this case flags contains ‘ad’ which means that the RRset has previously been validated. [beetle:~/git/bind9] marka% dig +dnssec +cd dnskey . ;; BADCOOKIE, retrying. ; <<>> DiG 9.15.4 <<>> +dnssec +cd dnskey . ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12403 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: f182281b307ab59a01005fbaf21fcdc7ab7803361e3c (good) ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 134751 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= . 134751 IN DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8= . 134751 IN RRSIG DNSKEY 8 0 172800 2020121100 2020112000 20326 . eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw== ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Nov 23 10:19:59 AEDT 2020 ;; MSG SIZE rcvd: 893 [beetle:~/git/bind9] marka% If you don’t get answer like this then we need to work out why. Do you have a local copy of the root zone? If so is from IANA or from somewhere else? Are you forwarding the root zone? If so what do ALL the forwarders return for "dig +dnssec +cd dnskey . @” where is replace by the IP address for each server. If you are forwarding is is forward “first” or “only”? Mark > On 22 Nov 2020, at 08:20, upen wrote: > > Hello Ananad, and all, > > >www.facebook.com > $ dig @127.0.0.1 -t A www.facebook.com > > ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: a18d9ed2a6d1bcd601005fb982763dfdafed174d4ef1 (good) > ;; QUESTION SECTION: > ;www.facebook.com. IN A > > ;; Query time: 4 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Sat Nov 21 15:11:18 CST 2020 > ;; MSG SIZE rcvd: 73 > > > Your instance of BIND is probably logging to syslog. Look for these logs > > (usually /var/log/messages), and see what BIND is logging. It may shed a > > light on the problem. > > Thank you. I enabled logging and when I grep for www.facebook.com , I notice > the following output from four different log files named. > > debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0 > 127.0.0.1#33706 (www.facebook.com): query: www.facebook.com IN A +E(0)K > (127.0.0.1) > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 > (www.facebook.com): query failed (broken trust chain) for > www.facebook.com/IN/A at query.c:6883 > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad > cache hit (com/DS) > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving > 'www.facebook.com/A/IN': 129.134.31.12#53 > > > Before running this query I also added dnssec-validation auto; to the options > file and restarted the bind9 service. It's pointing to a broken trust chain > which I am unsure how to resolve. > > Thanks, > Upen > > > On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev wrote: > On 21/11/2020 21:53, upen wrote: > > Hi Upen, > > > Could you someone guide me to troubleshoot this further? Thank you for the > > list. > > Your instance of BIND is probably logging to syslog. Look for these logs > (usually /var/log/messages), and see what BIND is logging. It may shed a > light on the problem. > > Regards, > Anand >
Re: Servfail on Bind -9.16.1
On Sun, Nov 22, 2020 at 9:35 AM Matus UHLAR - fantomas wrote: > >On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez > >wrote: > > >> Also, just for testing. Similar happened to me. Try with > >> ‘dnssec-validation no;’ > > On 22.11.20 09:05, upen wrote: > >Thank you Ismael, you are right . > >The resolution worked after setting ^^^ > > > >So to answer Julien also I believe +nodnsdec in the dig would have helped > >with resolution. > > > >So validation is not working it seems . What could be reason for that? Is > >something wrong on my configuration or network that the dnssec validation > >can not be used in my configuration. > > it's possible that your provider does DNS hijacking. > DNS over TLS or DNS over HTTPS could help verify that. Thank you Matus. So this is inside a university network and on a server . May be the network people do some dns interceptions . I did upload a link to packet capture which may shed some light on if they do indeed hijack. But from your reply it sounds like this behavior with auto is not expected and things should work for those domains so definitely something to check in my network , configuration end of things. Thank you Upen > > > > >I can set to auto again and run dig +trace if that will help > >troubleshooting further why validation may not be working. I’m unsure if > >this is expected or something could be wrong somewhere on my end /network > . > > >> From: bind-users on behalf of julien > >> soula > >> Sent: Sunday, November 22, 2020 9:31:56 AM > >> To: upen > >> Cc: bind-users@lists.isc.org ; BIND Users < > >> bind-us...@isc.org> > >> Subject: Re: Servfail on Bind -9.16.1 > >> > >> On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote: > >> > .../... > >> > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 > >> 127.0.0.1#33706 > >> > (www.facebook.com<http://www.facebook.com>): query failed (broken > trust > >> chain) for > >> > www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883 > >> > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME > :< > >> http://www.facebook.com/CNAME:> bad > >> > cache hit (com/DS) > >> > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain > resolving ' > >> > www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> > 129.134.31.12#53 > >> > >> it seems to be an error in dnssec. So I suppose that "dig +nodnssec > >> " works. > >> > >> May be "dig +trace facebook.com" will give you more hints. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > It's now safe to throw off your computer. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- upen, emerge -uD life (Upgrade Life with dependencies) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Servfail on Bind -9.16.1
On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez wrote: Also, just for testing. Similar happened to me. Try with ‘dnssec-validation no;’ On 22.11.20 09:05, upen wrote: Thank you Ismael, you are right . The resolution worked after setting ^^^ So to answer Julien also I believe +nodnsdec in the dig would have helped with resolution. So validation is not working it seems . What could be reason for that? Is something wrong on my configuration or network that the dnssec validation can not be used in my configuration. it's possible that your provider does DNS hijacking. DNS over TLS or DNS over HTTPS could help verify that. I can set to auto again and run dig +trace if that will help troubleshooting further why validation may not be working. I’m unsure if this is expected or something could be wrong somewhere on my end /network . From: bind-users on behalf of julien soula Sent: Sunday, November 22, 2020 9:31:56 AM To: upen Cc: bind-users@lists.isc.org ; BIND Users < bind-us...@isc.org> Subject: Re: Servfail on Bind -9.16.1 On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote: > .../... > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 > (www.facebook.com<http://www.facebook.com>): query failed (broken trust chain) for > www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883 > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME:< http://www.facebook.com/CNAME:> bad > cache hit (com/DS) > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving ' > www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> 129.134.31.12#53 it seems to be an error in dnssec. So I suppose that "dig +nodnssec " works. May be "dig +trace facebook.com" will give you more hints. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Servfail on Bind -9.16.1
On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez wrote: > Also, just for testing. Similar happened to me. Try with > ‘dnssec-validation no;’ Thank you Ismael, you are right . The resolution worked after setting ^^^ So to answer Julien also I believe +nodnsdec in the dig would have helped with resolution. So validation is not working it seems . What could be reason for that? Is something wrong on my configuration or network that the dnssec validation can not be used in my configuration. I can set to auto again and run dig +trace if that will help troubleshooting further why validation may not be working. I’m unsure if this is expected or something could be wrong somewhere on my end /network . Thank you again everyone , Ups > > From: bind-users on behalf of julien > soula > Sent: Sunday, November 22, 2020 9:31:56 AM > To: upen > Cc: bind-users@lists.isc.org ; BIND Users < > bind-us...@isc.org> > Subject: Re: Servfail on Bind -9.16.1 > > On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote: > > .../... > > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 > 127.0.0.1#33706 > > (www.facebook.com<http://www.facebook.com>): query failed (broken trust > chain) for > > www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883 > > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME:< > http://www.facebook.com/CNAME:> bad > > cache hit (com/DS) > > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving ' > > www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> 129.134.31.12#53 > > it seems to be an error in dnssec. So I suppose that "dig +nodnssec > " works. > > May be "dig +trace facebook.com" will give you more hints. > > sincerly, > -- > Julien > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- upen, emerge -uD life (Upgrade Life with dependencies) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Servfail on Bind -9.16.1
Also, just for testing. Similar happened to me. Try with ‘dnssec-validation no;’ From: bind-users on behalf of julien soula Sent: Sunday, November 22, 2020 9:31:56 AM To: upen Cc: bind-users@lists.isc.org ; BIND Users Subject: Re: Servfail on Bind -9.16.1 On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote: > .../... > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 > (www.facebook.com<http://www.facebook.com>): query failed (broken trust > chain) for > www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883 > dnssec.log:21-Nov-2020 15:11:18.008 validating > www.facebook.com/CNAME:<http://www.facebook.com/CNAME:> bad > cache hit (com/DS) > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving ' > www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> 129.134.31.12#53 it seems to be an error in dnssec. So I suppose that "dig +nodnssec " works. May be "dig +trace facebook.com" will give you more hints. sincerly, -- Julien ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Servfail on Bind -9.16.1
On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote: > .../... > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 > (www.facebook.com): query failed (broken trust chain) for > www.facebook.com/IN/A at query.c:6883 > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad > cache hit (com/DS) > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving ' > www.facebook.com/A/IN': 129.134.31.12#53 it seems to be an error in dnssec. So I suppose that "dig +nodnssec " works. May be "dig +trace facebook.com" will give you more hints. sincerly, -- Julien ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Servfail on Bind -9.16.1
On Sat, Nov 21, 2020 at 3:45 PM Fred Morris wrote: > Check your clock. Have you got NTP turned on? Is it working? If it's not, > flush cache/restart before you test again. > > Thank you Fred, Checked the time service , It's synced unless I am missing something. timedatectl timesync-status Server: 91.189.89.198 (ntp.ubuntu.com) Poll interval: 4min 16s (min: 32s; max 34min 8s) Leap: normal Version: 4 Stratum: 2 Reference: 91EECB0E Precision: 1us (-23) Root distance: 40.389ms (max: 5s) Offset: -4.216ms Delay: 88.989ms Jitter: 6.149ms Packet count: 4 Frequency: +49.968ppm Thank you, Upen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Servfail on Bind -9.16.1
Check your clock. Have you got NTP turned on? Is it working? If it's not, flush cache/restart before you test again. -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Servfail on Bind -9.16.1
>packet capture (at a later point) https://dpaste.com/6FYQ4986D ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Servfail on Bind -9.16.1
Hello Ananad, and all, >www.facebook.com $ dig @127.0.0.1 -t A www.facebook.com ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: a18d9ed2a6d1bcd601005fb982763dfdafed174d4ef1 (good) ;; QUESTION SECTION: ;www.facebook.com. IN A ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Nov 21 15:11:18 CST 2020 ;; MSG SIZE rcvd: 73 > Your instance of BIND is probably logging to syslog. Look for these logs > (usually /var/log/messages), and see what BIND is logging. It may shed a > light on the problem. Thank you. I enabled logging and when I grep for www.facebook.com , I notice the following output from four different log files named. debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0 127.0.0.1#33706 (www.facebook.com): query: www.facebook.com IN A +E(0)K (127.0.0.1) default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 (www.facebook.com): query failed (broken trust chain) for www.facebook.com/IN/A at query.c:6883 dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad cache hit (com/DS) lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving ' www.facebook.com/A/IN': 129.134.31.12#53 Before running this query I also added dnssec-validation auto; to the options file and restarted the bind9 service. It's pointing to a broken trust chain which I am unsure how to resolve. Thanks, Upen On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev wrote: > On 21/11/2020 21:53, upen wrote: > > Hi Upen, > > > Could you someone guide me to troubleshoot this further? Thank you for > the > > list. > > Your instance of BIND is probably logging to syslog. Look for these logs > (usually /var/log/messages), and see what BIND is logging. It may shed a > light on the problem. > > Regards, > Anand > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- upen, emerge -uD life (Upgrade Life with dependencies) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Servfail on Bind -9.16.1
On 21/11/2020 21:53, upen wrote: Hi Upen, > Could you someone guide me to troubleshoot this further? Thank you for the > list. Your instance of BIND is probably logging to syslog. Look for these logs (usually /var/log/messages), and see what BIND is logging. It may shed a light on the problem. Regards, Anand ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Servfail on Bind -9.16.1
are not FQDN ... maybe www.facebook.com<http://www.facebook.com> not only facebook.com only facebook.com could be referenced with an A record but maybe not www.facebook.com<http://www.facebook.com> is a right query From: bind-users on behalf of upen Sent: Saturday, November 21, 2020 9:53 PM To: bind-users@lists.isc.org Subject: Servfail on Bind -9.16.1 Hello, I just installed a simple caching Bind9 using the package provided by Ubuntu 20.04(64bit) OS. I am not able to look up domains successfully and getting SERVFAILs $ dig @127.0.0.1<http://127.0.0.1> -t A facebook.com<http://facebook.com> ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1<http://127.0.0.1> -t A facebook.com<http://facebook.com> ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53918 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: fed86438ea8e1ae001005fb97d690fedfa8d92731165 (good) ;; QUESTION SECTION: ;facebook.com<http://facebook.com>. IN A ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Nov 21 14:49:45 CST 2020 ;; MSG SIZE rcvd: 69 $ dig @127.0.0.1<http://127.0.0.1> -t A yahoo.com<http://yahoo.com> ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1<http://127.0.0.1> -t A yahoo.com<http://yahoo.com> ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20121 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: dc35adc3d416442701005fb97d6d9b599c886356e697 (good) ;; QUESTION SECTION: ;yahoo.com<http://yahoo.com>. IN A ;; Query time: 224 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Nov 21 14:49:49 CST 2020 ;; MSG SIZE rcvd: 66 # cat /etc/bind/named.conf.options acl whitelist { 127.0.0.1; localhost; }; options { directory "/var/cache/bind"; recursion yes; allow-query { whitelist; }; allow-recursion { whitelist ; }; querylog yes; }; # ps -ef | grep named bind3260 1 0 14:31 ?00:00:00 /usr/sbin/named -f -4 -u bind Could you someone guide me to troubleshoot this further? Thank you for the list. Thanks, Upen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Servfail on Bind -9.16.1
Hello, I just installed a simple caching Bind9 using the package provided by Ubuntu 20.04(64bit) OS. I am not able to look up domains successfully and getting SERVFAILs $ dig @127.0.0.1 -t A facebook.com ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A facebook.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53918 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: fed86438ea8e1ae001005fb97d690fedfa8d92731165 (good) ;; QUESTION SECTION: ;facebook.com. IN A ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Nov 21 14:49:45 CST 2020 ;; MSG SIZE rcvd: 69 $ dig @127.0.0.1 -t A yahoo.com ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A yahoo.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20121 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: dc35adc3d416442701005fb97d6d9b599c886356e697 (good) ;; QUESTION SECTION: ;yahoo.com. IN A ;; Query time: 224 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Nov 21 14:49:49 CST 2020 ;; MSG SIZE rcvd: 66 # cat /etc/bind/named.conf.options acl whitelist { 127.0.0.1; localhost; }; options { directory "/var/cache/bind"; recursion yes; allow-query { whitelist; }; allow-recursion { whitelist ; }; querylog yes; }; # ps -ef | grep named bind3260 1 0 14:31 ?00:00:00 /usr/sbin/named -f -4 -u bind Could you someone guide me to troubleshoot this further? Thank you for the list. Thanks, Upen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users