Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work
Thanks for the help. I guess it is time to move to 9.18. _ Nicholas Miller, OIT, University of Colorado at Boulder > On Sep 19, 2023, at 1:53 AM, Ondřej Surý wrote: > > [External Email - Use caution] > > >> On 19. 9. 2023, at 9:25, Petr Špaček wrote: >> >> All can I tell you is "it works on my system" (with BIND, of course): > > I can reproduce this on BIND 9.16 (-c /dev/null as named.conf): > > ## BIND 9.19-dev > > 19-Sep-2023 09:33:51.633 validating pms.psc.gov/CNAME: no valid signature > found > 19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature found > 19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature > found > 19-Sep-2023 09:33:52.485 validating pms.ha.psc.gov/A: no valid signature found > > $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1 > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35947 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: 76cc17ac4ce491b90100650950c533d1d3531585cef9 (good) > > ## BIND 9.18-dev > > 19-Sep-2023 09:36:10.717 validating pms.psc.gov/CNAME: no valid signature > found > 19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature found > 19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature > found > 19-Sep-2023 09:36:11.581 validating pms.ha.psc.gov/A: no valid signature found > > $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1 > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30482 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: f109de3980764a4201006509507caea9fe0064088c8e (good) > > > ## BIND 9.16-dev > > 19-Sep-2023 09:37:17.685 validating pms.psc.gov/CNAME: no valid signature > found > 19-Sep-2023 09:37:27.685 query client=0x7f0b840013b0 > thread=0x7f0b8ed7b6c0(pms.ha.psc.gov/A): query_gotanswer: unexpected error: > timed out > > $ bin/dig/dig +short -p 12345 pms.psc.gov @127.0.0.1 > > $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1 > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45084 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: e5b154394f27002201006509503c139afd80b72dd04a (good) > > Those servers are broken with QNAME minimization and should be fixed, but > as we changed the QNAME minimization algorithm to use NS records instead > of A records in BIND 9.18.17 and higher, it works now. > > I can confirm this works in BIND 9.18.17 and higher. And it's absolutely not > BIND 9's fault. > > Cheers, > -- > Ondřej Surý (He/Him) > ond...@isc.org > > My working hours and your working hours may be different. Please do not feel > obligated to reply outside your normal working hours. > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work
On 19. 09. 23 9:53, Ondřej Surý wrote: On 19. 9. 2023, at 9:25, Petr Špaček wrote: $ bin/dig/dig +short -p 12345 pms.psc.gov @127.0.0.1 $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45084 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: e5b154394f27002201006509503c139afd80b72dd04a (good) Those servers are broken with QNAME minimization and should be fixed, but as we changed the QNAME minimization algorithm to use NS records instead of A records in BIND 9.18.17 and higher, it works now. I can confirm this works in BIND 9.18.17 and higher. And it's absolutely not BIND 9's fault. So all in all, time to upgrade! BIND 9.16 series will reach end of life at the end of 2023 anyway. -- Petr Špaček -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work
> On 19. 9. 2023, at 9:25, Petr Špaček wrote: > > All can I tell you is "it works on my system" (with BIND, of course): I can reproduce this on BIND 9.16 (-c /dev/null as named.conf): ## BIND 9.19-dev 19-Sep-2023 09:33:51.633 validating pms.psc.gov/CNAME: no valid signature found 19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature found 19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature found 19-Sep-2023 09:33:52.485 validating pms.ha.psc.gov/A: no valid signature found $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35947 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 76cc17ac4ce491b90100650950c533d1d3531585cef9 (good) ## BIND 9.18-dev 19-Sep-2023 09:36:10.717 validating pms.psc.gov/CNAME: no valid signature found 19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature found 19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature found 19-Sep-2023 09:36:11.581 validating pms.ha.psc.gov/A: no valid signature found $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30482 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: f109de3980764a4201006509507caea9fe0064088c8e (good) ## BIND 9.16-dev 19-Sep-2023 09:37:17.685 validating pms.psc.gov/CNAME: no valid signature found 19-Sep-2023 09:37:27.685 query client=0x7f0b840013b0 thread=0x7f0b8ed7b6c0(pms.ha.psc.gov/A): query_gotanswer: unexpected error: timed out $ bin/dig/dig +short -p 12345 pms.psc.gov @127.0.0.1 $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45084 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: e5b154394f27002201006509503c139afd80b72dd04a (good) Those servers are broken with QNAME minimization and should be fixed, but as we changed the QNAME minimization algorithm to use NS records instead of A records in BIND 9.18.17 and higher, it works now. I can confirm this works in BIND 9.18.17 and higher. And it's absolutely not BIND 9's fault. Cheers, -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work
On 18. 09. 23 15:29, Nicholas Miller wrote: I know this is an old thread but we are having issues resolving pms.psc.gov as well. Disabling DNSSec validation on a test server doesn’t solve the problem. I can add a forwarding zone for ha.psc.gov pointed to their NS servers and things work. I would love to know what is broken here. dig pms.psc.gov ; <<>> DiG 9.16.43 <<>> pms.psc.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60669 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 20b2eb2c9840bfbd010065084978288fdde1e6f7c2a6 (good) ;; QUESTION SECTION: ;pms.psc.gov. IN A ;; Query time: 2993 msec ;; SERVER: 128.138.240.1#53(128.138.240.1) ;; WHEN: Mon Sep 18 06:58:32 MDT 2023 ;; MSG SIZE rcvd: 68 That's hard to diagnose without logs or any other supporting data. All can I tell you is "it works on my system" (with BIND, of course): $ dig pms.psc.gov ; <<>> DiG 9.19.18-dev <<>> +timeout +retry pms.psc.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29005 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 5f2a9d77850917bd010065094c8ec7febc2147e2408d (good) ;; QUESTION SECTION: ;pms.psc.gov. IN A ;; ANSWER SECTION: pms.psc.gov.3600IN CNAME pms.ha.psc.gov. pms.ha.psc.gov. 30 IN A 156.40.178.24 ;; Query time: 1533 msec ;; SERVER: 127.0.0.111#53(127.0.0.111) (UDP) ;; WHEN: Tue Sep 19 09:23:58 CEST 2023 ;; MSG SIZE rcvd: 105 -- Petr Špaček -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work
I know this is an old thread but we are having issues resolving pms.psc.gov as well. Disabling DNSSec validation on a test server doesn’t solve the problem. I can add a forwarding zone for ha.psc.gov pointed to their NS servers and things work. I would love to know what is broken here. > dig pms.psc.gov ; <<>> DiG 9.16.43 <<>> pms.psc.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60669 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 20b2eb2c9840bfbd010065084978288fdde1e6f7c2a6 (good) ;; QUESTION SECTION: ;pms.psc.gov. IN A ;; Query time: 2993 msec ;; SERVER: 128.138.240.1#53(128.138.240.1) ;; WHEN: Mon Sep 18 06:58:32 MDT 2023 ;; MSG SIZE rcvd: 68 _ Nicholas Miller, OIT, University of Colorado at Boulder > On Aug 22, 2021, at 11:57 AM, Matthew Richardson > wrote: > > It looks slightly more subtle than a straight failure. There is a DS > record in psc.gov pointing to key 180 in ha.psc.gov:- > >> ha.psc.gov. 56 IN DS 180 7 1 >> 8A631C83457F4BDB3C450A725DFDB267C4BAC1CC > > This points correctly to the key. However digest algorith 1 is now either > prohibited or discouraged. Worse there is also a DS:- > >> ha.psc.gov. 56 IN DS 39093 7 2 >> DD956C9568726B6EEED24D9814F0EC0D2BD119CF4B8A6352A4BF6968 0880E8E7 > > where key 39093 does not exist in ha.psc.gov. > > Buried in the mass of errors & warnings, dnsvis says:- > >> ha.psc.gov/DS (alg 7, id 180): DS records with digest type 1 (SHA-1) are >> ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. > > With both Bind & Unbound, I get SERVFAIL. However, other resolvers may be > more tolerant of algorithm 1 DS records, in which case they may decide that > the answer is "valid". > > In any event, it needs fixing. > > However, to answer the OP's question, the solution is to use a "negative > trust anchor":- > >> # rndc nta -lifetime 1d ha.psc.gov >> Negative trust anchor added: ha.psc.gov/_default, expires 23-Aug-2021 >> 18:55:13.000 > > which then allowed my Bind to resolve it. > > Best wishes, > Matthew > > -- >> From: "John W. Blue via bind-users" >> To: "bind-users@lists.isc.org" >> Cc: >> Date: Sun, 22 Aug 2021 16:24:41 + >> Subject: Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work > >> Your using the wrong tools to troubleshoot or investigate this error. >> >> Instead of relying upon resolvers to provide situational awareness you need >> to inspect DNSSEC itself using dnsviz.net: >> >> https://dnsviz.net/d/pms.psc.gov/dnssec/ >> >> psc.gov is giving the world ID 5089 when they need to handing out ID 180. >> >> Recommend the pms.psc.gov admins give the psc.gov admins the correct hash. >> >> Sent from Nine<http://www.9folders.com/> >> >> From: Roger Hammerstein >> Sent: Sunday, August 22, 2021 9:45 AM >> To: bind-users@lists.isc.org >> Subject: unresolvable pms.psc.gov, but google/cloudflare/unbound work >> >> >> pms.psc.gov appears to be unresolvable against bind9.16.19 >> and 9.11.34 because of dnssec issues. >> But it resolves against Cloudflare's 1.1.1.1, Google's 8.8.8.8, and an >> Unbound >> resolver that does dnssec-validation. >> >> There's a ticket open with nih.gov to look into it, but is there anything >> that can >> be changed with Bind to make this domain resolve in the meantime? >> >> (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678 >> >> https://dnsviz.net/d/pms.psc.gov/dnssec/ >> https://dnssec-analyzer.verisignlabs.com/pms.psc.gov >> >> dig a pms.psc.gov @8.8.8.8 >> pms.psc.gov.2852IN CNAME pms.ha.psc.gov. >> pms.ha.psc.gov. 29 IN A 156.40.178.24 >> >> >> >> dig a pms.psc.gov @8.8.8.8 +dnssec >> >> ;; ANSWER SECTION: >> pms.psc.gov.2835IN CNAME pms.ha.psc.gov. >> pms.psc.gov.2835IN RRSIG CNAME 8 3 3600 >> 20210827000144 20210821230144 5089 psc.gov. >> kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 >> jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP >> LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc= >> pms.ha.psc.gov. 29 IN
Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work
It looks slightly more subtle than a straight failure. There is a DS record in psc.gov pointing to key 180 in ha.psc.gov:- >ha.psc.gov. 56 IN DS 180 7 1 >8A631C83457F4BDB3C450A725DFDB267C4BAC1CC This points correctly to the key. However digest algorith 1 is now either prohibited or discouraged. Worse there is also a DS:- >ha.psc.gov. 56 IN DS 39093 7 2 >DD956C9568726B6EEED24D9814F0EC0D2BD119CF4B8A6352A4BF6968 0880E8E7 where key 39093 does not exist in ha.psc.gov. Buried in the mass of errors & warnings, dnsvis says:- >ha.psc.gov/DS (alg 7, id 180): DS records with digest type 1 (SHA-1) are >ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. With both Bind & Unbound, I get SERVFAIL. However, other resolvers may be more tolerant of algorithm 1 DS records, in which case they may decide that the answer is "valid". In any event, it needs fixing. However, to answer the OP's question, the solution is to use a "negative trust anchor":- ># rndc nta -lifetime 1d ha.psc.gov >Negative trust anchor added: ha.psc.gov/_default, expires 23-Aug-2021 >18:55:13.000 which then allowed my Bind to resolve it. Best wishes, Matthew -- >From: "John W. Blue via bind-users" >To: "bind-users@lists.isc.org" >Cc: >Date: Sun, 22 Aug 2021 16:24:41 + >Subject: Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work >Your using the wrong tools to troubleshoot or investigate this error. > >Instead of relying upon resolvers to provide situational awareness you need to >inspect DNSSEC itself using dnsviz.net: > >https://dnsviz.net/d/pms.psc.gov/dnssec/ > >psc.gov is giving the world ID 5089 when they need to handing out ID 180. > >Recommend the pms.psc.gov admins give the psc.gov admins the correct hash. > >Sent from Nine<http://www.9folders.com/> >________ >From: Roger Hammerstein >Sent: Sunday, August 22, 2021 9:45 AM >To: bind-users@lists.isc.org >Subject: unresolvable pms.psc.gov, but google/cloudflare/unbound work > > >pms.psc.gov appears to be unresolvable against bind9.16.19 >and 9.11.34 because of dnssec issues. >But it resolves against Cloudflare's 1.1.1.1, Google's 8.8.8.8, and an Unbound >resolver that does dnssec-validation. > >There's a ticket open with nih.gov to look into it, but is there anything that >can >be changed with Bind to make this domain resolve in the meantime? > > (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678 > >https://dnsviz.net/d/pms.psc.gov/dnssec/ >https://dnssec-analyzer.verisignlabs.com/pms.psc.gov > > dig a pms.psc.gov @8.8.8.8 >pms.psc.gov.2852IN CNAME pms.ha.psc.gov. >pms.ha.psc.gov. 29 IN A 156.40.178.24 > > > >dig a pms.psc.gov @8.8.8.8 +dnssec > >;; ANSWER SECTION: >pms.psc.gov.2835IN CNAME pms.ha.psc.gov. >pms.psc.gov.2835IN RRSIG CNAME 8 3 3600 20210827000144 >20210821230144 5089 psc.gov. >kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 >jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP >LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc= >pms.ha.psc.gov. 29 IN A 156.40.178.24 >pms.ha.psc.gov. 29 IN RRSIG A 7 4 30 20210827185442 >20210820185442 21380 ha.psc.gov. >w2XUqBVoBMtLv0qfc5xmccrpv+w2ukwGfaGJvthIKHXr2SdlAk3oQxve >xyolEaj2zWn8Uj7lOsaZD8mewBMQ3iEEp8U96aFBslWV/ffEKL+H9oMM >sUNU5KwNi7/Nk3KZuNc8R3xxuYTsSVdbu6ai1lQ6fmw2uWAoDP9YIqek >jyo/0WFSXM+hxw/5WguijhilSRIywNgG3/6MY3ZmunPPafGTCTXigyex >IBACJQJ+meD6vMi0YoRM17mwdD+7Buq2cb6LJyVYaQImh7M2gF8My75n >lDns4PWEIx4bSW2uQQEPpB7MA9VI9y5CuVCmqC3wMZ2ow6G8pkaf18wv r/ucSQ== > > > > >I can sometimes get a servfail out of 8.8.8.8 with an any query >dig any pms.psc.gov @8.8.8.8 +dnssec >;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36332 >;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags: do; udp: 512 >;; QUESTION SECTION: >;pms.psc.gov. IN ANY >;; Query time: 5001 msec ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work
Your using the wrong tools to troubleshoot or investigate this error. Instead of relying upon resolvers to provide situational awareness you need to inspect DNSSEC itself using dnsviz.net: https://dnsviz.net/d/pms.psc.gov/dnssec/ psc.gov is giving the world ID 5089 when they need to handing out ID 180. Recommend the pms.psc.gov admins give the psc.gov admins the correct hash. Sent from Nine<http://www.9folders.com/> From: Roger Hammerstein Sent: Sunday, August 22, 2021 9:45 AM To: bind-users@lists.isc.org Subject: unresolvable pms.psc.gov, but google/cloudflare/unbound work pms.psc.gov appears to be unresolvable against bind9.16.19 and 9.11.34 because of dnssec issues. But it resolves against Cloudflare's 1.1.1.1, Google's 8.8.8.8, and an Unbound resolver that does dnssec-validation. There's a ticket open with nih.gov to look into it, but is there anything that can be changed with Bind to make this domain resolve in the meantime? (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678 https://dnsviz.net/d/pms.psc.gov/dnssec/ https://dnssec-analyzer.verisignlabs.com/pms.psc.gov dig a pms.psc.gov @8.8.8.8 pms.psc.gov.2852IN CNAME pms.ha.psc.gov. pms.ha.psc.gov. 29 IN A 156.40.178.24 dig a pms.psc.gov @8.8.8.8 +dnssec ;; ANSWER SECTION: pms.psc.gov.2835IN CNAME pms.ha.psc.gov. pms.psc.gov.2835IN RRSIG CNAME 8 3 3600 20210827000144 20210821230144 5089 psc.gov. kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc= pms.ha.psc.gov. 29 IN A 156.40.178.24 pms.ha.psc.gov. 29 IN RRSIG A 7 4 30 20210827185442 20210820185442 21380 ha.psc.gov. w2XUqBVoBMtLv0qfc5xmccrpv+w2ukwGfaGJvthIKHXr2SdlAk3oQxve xyolEaj2zWn8Uj7lOsaZD8mewBMQ3iEEp8U96aFBslWV/ffEKL+H9oMM sUNU5KwNi7/Nk3KZuNc8R3xxuYTsSVdbu6ai1lQ6fmw2uWAoDP9YIqek jyo/0WFSXM+hxw/5WguijhilSRIywNgG3/6MY3ZmunPPafGTCTXigyex IBACJQJ+meD6vMi0YoRM17mwdD+7Buq2cb6LJyVYaQImh7M2gF8My75n lDns4PWEIx4bSW2uQQEPpB7MA9VI9y5CuVCmqC3wMZ2ow6G8pkaf18wv r/ucSQ== I can sometimes get a servfail out of 8.8.8.8 with an any query dig any pms.psc.gov @8.8.8.8 +dnssec ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36332 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;pms.psc.gov. IN ANY ;; Query time: 5001 msec ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
unresolvable pms.psc.gov, but google/cloudflare/unbound work
pms.psc.gov appears to be unresolvable against bind9.16.19 and 9.11.34 because of dnssec issues. But it resolves against Cloudflare's 1.1.1.1, Google's 8.8.8.8, and an Unbound resolver that does dnssec-validation. There's a ticket open with nih.gov to look into it, but is there anything that can be changed with Bind to make this domain resolve in the meantime? (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678 https://dnsviz.net/d/pms.psc.gov/dnssec/ https://dnssec-analyzer.verisignlabs.com/pms.psc.gov dig a pms.psc.gov @8.8.8.8 pms.psc.gov. 2852 IN CNAME pms.ha.psc.gov. pms.ha.psc.gov. 29 IN A 156.40.178.24 dig a pms.psc.gov @8.8.8.8 +dnssec ;; ANSWER SECTION: pms.psc.gov. 2835 IN CNAME pms.ha.psc.gov. pms.psc.gov. 2835 IN RRSIG CNAME 8 3 3600 20210827000144 20210821230144 5089 psc.gov. kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc= pms.ha.psc.gov. 29 IN A 156.40.178.24 pms.ha.psc.gov. 29 IN RRSIG A 7 4 30 20210827185442 20210820185442 21380 ha.psc.gov. w2XUqBVoBMtLv0qfc5xmccrpv+w2ukwGfaGJvthIKHXr2SdlAk3oQxve xyolEaj2zWn8Uj7lOsaZD8mewBMQ3iEEp8U96aFBslWV/ffEKL+H9oMM sUNU5KwNi7/Nk3KZuNc8R3xxuYTsSVdbu6ai1lQ6fmw2uWAoDP9YIqek jyo/0WFSXM+hxw/5WguijhilSRIywNgG3/6MY3ZmunPPafGTCTXigyex IBACJQJ+meD6vMi0YoRM17mwdD+7Buq2cb6LJyVYaQImh7M2gF8My75n lDns4PWEIx4bSW2uQQEPpB7MA9VI9y5CuVCmqC3wMZ2ow6G8pkaf18wv r/ucSQ== I can sometimes get a servfail out of 8.8.8.8 with an any query dig any pms.psc.gov @8.8.8.8 +dnssec ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36332 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;pms.psc.gov. IN ANY ;; Query time: 5001 msec ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users