On Wed, Dec 20, 2017 at 7:11 PM, Reindl Harald <[email protected]> wrote:
> > > Am 20.12.2017 um 10:05 schrieb D Gilmore: > >> Why is this happening? I am an average user trying to get to the >> www.gnu.org website. I have no problem with any other website at the >> moment. I have spent hours googling and asking questions on forums trying >> to solve this problem. But I do not know how to resolve this. I have tried >> different solutions only to get myself into more trouble. I am using Ubuntu >> 17.04 64bit which is a new installation with very few additions. I do have >> Ghostery and a Ad Blocker on both browsers (firefox and chrome) but there >> is no effect with them enabled or disabled >> > > https://dnssec-debugger.verisignlabs.com/gnu.org > No DS records found for gnu.org in the org zone > That's fine. If the delegation has no DS records, resolvers just treat the whole zone as unsigned. (Otherwise bootstrapping a signed zone would be quite difficult.) You're probably thinking of the opposite situation -- DS in the parent, but no keys/signatures in the zone itself -- which *would* result in a validation failure. > why do you think that is systemd related and what operating system are you > running? most likely something like below is enabled on your system and > DNSSEC for gnu.org seems to be fucked up > > No, what is fucked up is gnu.org's nameservers *themselves*. Two out of four nameservers (ns{1..4}.gnu.org) are completely down at the moment. So the SERVFAIL most likely just indicates that `resolved` gave up waiting for a reply -- it doesn't necessarily mean a validation failure. I'm not sure what the official retry rules are -- I'd expect the resolver to keep trying until it finds a working nameserver, instead of giving up mid-way. But instead, I have seen the same behavior with Unbound as well -- it would give up and return SERVFAIL after trying just one or two nameservers. -- Mantas Mikulėnas
_______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
