Hi, just another data point and no final conclusion: we're running BIND as recursors, and have also received reports that lookup of various names under FreeBSD.org intermittently fails. I've seen reports about failing queries for at least
bugs.freebsd.org / a _http._tcp.freebsd.org / srv Our recursors run with DNSSEC validation enabled, and don't have any "general problems with DNSSEC". Passing either of those names above to the machinery at https://dnsviz.net reveals no problems per se with the DNSSEC setup for freebsd.org. The only oddity I can find (this isn't really an error), is that none of the zones where the name servers serving freebsd.org are registered are DNSSEC-secured: freebsd.org. 3600 IN NS ns2.isc-sns.com. freebsd.org. 3600 IN NS ns3.isc-sns.info. freebsd.org. 3600 IN NS ns1.isc-sns.net. is the NS-set, but neither isc-sns.com. isc-sns.info nor isc-sns.net are DNSSEC-secured (there is no DS record in the parent zone). However, running this small script: ----------snip #! /bin/sh qn=bugs.freebsd.org. # or point explicitly... recursor=$(awk '/nameserver/{ print $2; exit; }' /etc/resolv.conf) while true; do out=$(dig @$recursor $qn a) if ! expr "$out" : ".*, status: NOERROR" >/dev/null; then echo echo "$out" exit 1 fi echo -n . sleep 30 done ----------snip fails relatively quickly for me: % ./check-bugs-freebsd-org.sh .................. ; <<>> DiG 9.10.5-P1 <<>> @2001:700:xx:xx::ca53 bugs.freebsd.org. a ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60387 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;bugs.freebsd.org. IN A ;; Query time: 3989 msec ;; SERVER: 2001:700:xx:xx::ca53#53(2001:700:xx:xx::ca53) ;; WHEN: Fri Oct 18 10:21:36 CEST 2019 ;; MSG SIZE rcvd: 45 % The "query errors" log of BIND contains: Oct 18 10:21:36 oliven named[20568]: client @0x7491477fb000 2001:700:x:0:xx:xx:xx:xx#51269 (bugs.freebsd.org): query failed (timed out) for bugs.freebsd.org/IN/A at query.c:6818 Oct 18 10:21:36 oliven named[20568]: client @0x7490e07fd000 a.b.c.d#54158 (bugs.freebsd.org): query failed (timed out) for bugs.freebsd.org/IN/A at query.c:6818 I also have a "dnscap" going, and I find this matches with these queries: 10:21:32.961179 IP6 2001:700:x:0:xx:xx:xx:xx.51269 > 2001:700:xx:xx::ca53.53: 60387+ [1au] A? bugs.freebsd.org. (45) 10:21:33.971546 IP a.b.c.d.54158 > 158.38.0.168.53: 60387+ [1au] A? bugs.freebsd.org. (45) 10:21:34.019102 IP6 2001:700:xx:xx::ca53.56594 > 2001:5a0:10::1.53: 317% [1au] AAAA? ns2.isc-sns.com. (56) 10:21:34.019319 IP6 2001:700:xx:xx::ca53.53327 > 2001:5a0:10::1.53: 14440% [1au] A? ns3.isc-sns.info. (57) 10:21:36.949709 IP6 2001:700:xx:xx::ca53.53 > 2001:700:x:0:xx:xx:xx:xx.51269: 60387 ServFail 0/0/1 (45) 10:21:36.949747 IP 158.38.0.168.53 > a.b.c.d.54158: 60387 ServFail 0/0/1 (45) It also seems that the queries to 2001:5a0:10::1 for ns2.isc-sns.com and ns3.isc-sns.info went unanswered -- there's no further trace of those query-IDs in the dnscap log. It doesn't seem that the SERVFAIL is caused by DNSSEC validation failure, at least. The next candidate on the list is probably (temporarily) unresponsive publishing name servers(?) Best regards, - HÃ¥vard
