Servfail on Bind -9.16.1

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Servfail on Bind -9.16.1

upen
Hello,
I just installed a simple caching Bind9 using the package provided by Ubuntu 20.04(64bit) OS.

I am not able to look up domains successfully and getting SERVFAILs

$ dig @127.0.0.1 -t A facebook.com

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53918
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: fed86438ea8e1ae0010000005fb97d690fedfa8d92731165 (good)
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 21 14:49:45 CST 2020
;; MSG SIZE  rcvd: 69

$ dig @127.0.0.1 -t A yahoo.com

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A yahoo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20121
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: dc35adc3d4164427010000005fb97d6d9b599c886356e697 (good)
;; QUESTION SECTION:
;yahoo.com.                     IN      A

;; Query time: 224 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 21 14:49:49 CST 2020
;; MSG SIZE  rcvd: 66


# cat /etc/bind/named.conf.options
acl whitelist {
        127.0.0.1;
        localhost;
};

options {
        directory "/var/cache/bind";
        recursion yes;
        allow-query { whitelist; };
        allow-recursion { whitelist ; };
        querylog yes;
};

# ps -ef | grep named
bind        3260       1  0 14:31 ?        00:00:00 /usr/sbin/named -f -4 -u bind

Could you someone guide me to troubleshoot this further? Thank you for the list.

Thanks,
Upen

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

alcol alcol
are not FQDN ...

maybe www.facebook.com not only facebook.com
only facebook.com could be referenced with an A record but maybe not

www.facebook.com is a right query




From: bind-users <[hidden email]> on behalf of upen <[hidden email]>
Sent: Saturday, November 21, 2020 9:53 PM
To: [hidden email] <[hidden email]>
Subject: Servfail on Bind -9.16.1
 
Hello,
I just installed a simple caching Bind9 using the package provided by Ubuntu 20.04(64bit) OS.

I am not able to look up domains successfully and getting SERVFAILs

$ dig @127.0.0.1 -t A facebook.com

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53918
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: fed86438ea8e1ae0010000005fb97d690fedfa8d92731165 (good)
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 21 14:49:45 CST 2020
;; MSG SIZE  rcvd: 69

$ dig @127.0.0.1 -t A yahoo.com

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A yahoo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20121
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: dc35adc3d4164427010000005fb97d6d9b599c886356e697 (good)
;; QUESTION SECTION:
;yahoo.com.                     IN      A

;; Query time: 224 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 21 14:49:49 CST 2020
;; MSG SIZE  rcvd: 66


# cat /etc/bind/named.conf.options
acl whitelist {
        127.0.0.1;
        localhost;
};

options {
        directory "/var/cache/bind";
        recursion yes;
        allow-query { whitelist; };
        allow-recursion { whitelist ; };
        querylog yes;
};

# ps -ef | grep named
bind        3260       1  0 14:31 ?        00:00:00 /usr/sbin/named -f -4 -u bind

Could you someone guide me to troubleshoot this further? Thank you for the list.

Thanks,
Upen

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

Anand Buddhdev
In reply to this post by upen
On 21/11/2020 21:53, upen wrote:

Hi Upen,

> Could you someone guide me to troubleshoot this further? Thank you for the
> list.

Your instance of BIND is probably logging to syslog. Look for these logs
(usually /var/log/messages), and see what BIND is logging. It may shed a
light on the problem.

Regards,
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

upen
Hello Ananad, and all,

$ dig @127.0.0.1 -t A www.facebook.com

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: a18d9ed2a6d1bcd6010000005fb982763dfdafed174d4ef1 (good)
;; QUESTION SECTION:
;www.facebook.com.              IN      A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 21 15:11:18 CST 2020
;; MSG SIZE  rcvd: 73

>  Your instance of BIND is probably logging to syslog. Look for these logs
> (usually /var/log/messages), and see what BIND is logging. It may shed a
> light on the problem.  

Thank you. I enabled logging and when I grep for www.facebook.com , I notice the following output from four different log files named.

debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0 127.0.0.1#33706 (www.facebook.com): query: www.facebook.com IN A +E(0)K (127.0.0.1)
default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 (www.facebook.com): query failed (broken trust chain) for www.facebook.com/IN/A at query.c:6883
dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad cache hit (com/DS)
lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving 'www.facebook.com/A/IN': 129.134.31.12#53


Before running this query I also added dnssec-validation auto; to the options file and restarted the bind9 service. It's pointing to a broken trust chain which I am unsure how to resolve.

Thanks,
Upen


On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev <[hidden email]> wrote:
On 21/11/2020 21:53, upen wrote:

Hi Upen,

> Could you someone guide me to troubleshoot this further? Thank you for the
> list.

Your instance of BIND is probably logging to syslog. Look for these logs
(usually /var/log/messages), and see what BIND is logging. It may shed a
light on the problem.

Regards,
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


--
upen,
emerge -uD life (Upgrade Life with dependencies)

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

upen
>packet capture (at a later point)

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

Fred Morris
In reply to this post by upen
Check your clock. Have you got NTP turned on? Is it working? If it's not,
flush cache/restart before you test again.

--

Fred Morris

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

upen

On Sat, Nov 21, 2020 at 3:45 PM Fred Morris <[hidden email]> wrote:
Check your clock. Have you got NTP turned on? Is it working? If it's not,
flush cache/restart before you test again.

Thank you Fred,
Checked the time service , It's synced unless I am missing something.

timedatectl timesync-status
       Server: 91.189.89.198 (ntp.ubuntu.com)
Poll interval: 4min 16s (min: 32s; max 34min 8s)
         Leap: normal
      Version: 4
      Stratum: 2
    Reference: 91EECB0E
    Precision: 1us (-23)
Root distance: 40.389ms (max: 5s)
       Offset: -4.216ms
        Delay: 88.989ms
       Jitter: 6.149ms
 Packet count: 4
    Frequency: +49.968ppm

Thank you,
Upen

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

julien soula-2
In reply to this post by upen
On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
> .../...
> default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706
> (www.facebook.com): query failed (broken trust chain) for
> www.facebook.com/IN/A at query.c:6883
> dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad
> cache hit (com/DS)
> lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
> www.facebook.com/A/IN': 129.134.31.12#53

it seems to be an error in dnssec. So I suppose that "dig +nodnssec
...." works.

May be "dig +trace facebook.com" will give you more hints.

sincerly,
--
Julien
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

Ismael Suarez Maldonado
Also, just for testing. Similar happened to me. Try with ‘dnssec-validation no;’
________________________________
From: bind-users <[hidden email]> on behalf of julien soula <[hidden email]>
Sent: Sunday, November 22, 2020 9:31:56 AM
To: upen <[hidden email]>
Cc: [hidden email] <[hidden email]>; BIND Users <[hidden email]>
Subject: Re: Servfail on Bind -9.16.1

On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
> .../...
> default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706
> (www.facebook.com<http://www.facebook.com>): query failed (broken trust chain) for
> www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883
> dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME:<http://www.facebook.com/CNAME:> bad
> cache hit (com/DS)
> lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
> www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> 129.134.31.12#53

it seems to be an error in dnssec. So I suppose that "dig +nodnssec
...." works.

May be "dig +trace facebook.com" will give you more hints.

sincerly,
--
Julien
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

upen


On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez <[hidden email]> wrote:
Also, just for testing. Similar happened to me. Try with ‘dnssec-validation no;’

Thank you Ismael, you are right .
The resolution worked after setting ^^^

So to answer Julien also I believe +nodnsdec in the dig would have helped with resolution.

So validation is not working it seems . What could be reason for that? Is something wrong on my configuration or network that the dnssec validation can not be used in my configuration.

I can set to auto again and run dig +trace if that will help troubleshooting further why validation may not be working. I’m unsure if this is expected or something could be wrong somewhere on my end /network .

Thank you again everyone ,
Ups 








________________________________
From: bind-users <[hidden email]> on behalf of julien soula <[hidden email]>
Sent: Sunday, November 22, 2020 9:31:56 AM
To: upen <[hidden email]>
Cc: [hidden email] <[hidden email]>; BIND Users <[hidden email]>
Subject: Re: Servfail on Bind -9.16.1

On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
> .../...
> default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706
> (www.facebook.com<http://www.facebook.com>): query failed (broken trust chain) for
> www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883
> dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME:<http://www.facebook.com/CNAME:> bad
> cache hit (com/DS)
> lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
> www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> 129.134.31.12#53

it seems to be an error in dnssec. So I suppose that "dig +nodnssec
...." works.

May be "dig +trace facebook.com" will give you more hints.

sincerly,
--
Julien
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
--
upen,
emerge -uD life (Upgrade Life with dependencies)

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

Matus UHLAR - fantomas
>On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez <[hidden email]>
>wrote:

>> Also, just for testing. Similar happened to me. Try with
>> ‘dnssec-validation no;’

On 22.11.20 09:05, upen wrote:
>Thank you Ismael, you are right .
>The resolution worked after setting ^^^
>
>So to answer Julien also I believe +nodnsdec in the dig would have helped
>with resolution.
>
>So validation is not working it seems . What could be reason for that? Is
>something wrong on my configuration or network that the dnssec validation
>can not be used in my configuration.

it's possible that your provider does DNS hijacking.
DNS over TLS or DNS over HTTPS could help verify that.


>I can set to auto again and run dig +trace if that will help
>troubleshooting further why validation may not be working. I’m unsure if
>this is expected or something could be wrong somewhere on my end /network .

>> From: bind-users <[hidden email]> on behalf of julien
>> soula <[hidden email]>
>> Sent: Sunday, November 22, 2020 9:31:56 AM
>> To: upen <[hidden email]>
>> Cc: [hidden email] <[hidden email]>; BIND Users <
>> [hidden email]>
>> Subject: Re: Servfail on Bind -9.16.1
>>
>> On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
>> > .../...
>> > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0
>> 127.0.0.1#33706
>> > (www.facebook.com<http://www.facebook.com>): query failed (broken trust
>> chain) for
>> > www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883
>> > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME:<
>> http://www.facebook.com/CNAME:> bad
>> > cache hit (com/DS)
>> > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
>> > www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> 129.134.31.12#53
>>
>> it seems to be an error in dnssec. So I suppose that "dig +nodnssec
>> ...." works.
>>
>> May be "dig +trace facebook.com" will give you more hints.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

upen


On Sun, Nov 22, 2020 at 9:35 AM Matus UHLAR - fantomas <[hidden email]> wrote:
>On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez <[hidden email]>
>wrote:

>> Also, just for testing. Similar happened to me. Try with
>> ‘dnssec-validation no;’

On 22.11.20 09:05, upen wrote:
>Thank you Ismael, you are right .
>The resolution worked after setting ^^^
>
>So to answer Julien also I believe +nodnsdec in the dig would have helped
>with resolution.
>
>So validation is not working it seems . What could be reason for that? Is
>something wrong on my configuration or network that the dnssec validation
>can not be used in my configuration.

it's possible that your provider does DNS hijacking.
DNS over TLS or DNS over HTTPS could help verify that.



Thank you Matus. So this is inside a university network and on a server . May be the network people do some dns interceptions . I did upload a link to packet capture which may shed some light on if they do indeed hijack.

But from your reply it sounds like this behavior with auto is not expected and things should work for those domains so definitely something to check in my network , configuration end of things. 

Thank you
Upen



>I can set to auto again and run dig +trace if that will help
>troubleshooting further why validation may not be working. I’m unsure if
>this is expected or something could be wrong somewhere on my end /network .

>> From: bind-users <[hidden email]> on behalf of julien
>> soula <[hidden email]>
>> Sent: Sunday, November 22, 2020 9:31:56 AM
>> To: upen <[hidden email]>
>> Cc: [hidden email] <[hidden email]>; BIND Users <
>> [hidden email]>
>> Subject: Re: Servfail on Bind -9.16.1
>>
>> On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
>> > .../...
>> > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0
>> 127.0.0.1#33706
>> > (www.facebook.com<http://www.facebook.com>): query failed (broken trust
>> chain) for
>> > www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883
>> > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME:<
>> http://www.facebook.com/CNAME:> bad
>> > cache hit (com/DS)
>> > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
>> > www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> 129.134.31.12#53
>>
>> it seems to be an error in dnssec. So I suppose that "dig +nodnssec
>> ...." works.
>>
>> May be "dig +trace facebook.com" will give you more hints.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
--
upen,
emerge -uD life (Upgrade Life with dependencies)

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

Mark Andrews
In reply to this post by upen
Ok.  Lets start by debugging this from the trust anchor downwards.
Lets see what "dig +dnssec +cd dnskey .” returns.  It should return
something like below with 2 DNSKEY records and a RRSIG for the DNSKEY.
The RRSIG is regenerated daily so it will likely differ.  The DNSKEY
records should be a exact match.  In this case flags contains ‘ad’ which
means that the RRset has previously been validated.

[beetle:~/git/bind9] marka% dig +dnssec +cd dnskey .
;; BADCOOKIE, retrying.

; <<>> DiG 9.15.4 <<>> +dnssec +cd dnskey .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12403
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: f182281b307ab59a010000005fbaf21fcdc7ab7803361e3c (good)
;; QUESTION SECTION:
;. IN DNSKEY

;; ANSWER SECTION:
. 134751 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
. 134751 IN DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8=
. 134751 IN RRSIG DNSKEY 8 0 172800 20201211000000 20201120000000 20326 . eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 23 10:19:59 AEDT 2020
;; MSG SIZE  rcvd: 893

[beetle:~/git/bind9] marka%

If you don’t get answer like this then we need to work out why.

Do you have a local copy of the root zone?  If so is from IANA
or from somewhere else?

Are you forwarding the root zone? If so what do ALL the forwarders
return for "dig +dnssec +cd dnskey . @<server>” where <server> is
replace by the IP address for each server.  If you are forwarding is
is forward “first” or “only”?

Mark

> On 22 Nov 2020, at 08:20, upen <[hidden email]> wrote:
>
> Hello Ananad, and all,
>
> >www.facebook.com
> $ dig @127.0.0.1 -t A www.facebook.com
>
> ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: a18d9ed2a6d1bcd6010000005fb982763dfdafed174d4ef1 (good)
> ;; QUESTION SECTION:
> ;www.facebook.com.              IN      A
>
> ;; Query time: 4 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Nov 21 15:11:18 CST 2020
> ;; MSG SIZE  rcvd: 73
>
> >  Your instance of BIND is probably logging to syslog. Look for these logs
> > (usually /var/log/messages), and see what BIND is logging. It may shed a
> > light on the problem.  
>
> Thank you. I enabled logging and when I grep for www.facebook.com , I notice the following output from four different log files named.
>
> debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0 127.0.0.1#33706 (www.facebook.com): query: www.facebook.com IN A +E(0)K (127.0.0.1)
> default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 (www.facebook.com): query failed (broken trust chain) for www.facebook.com/IN/A at query.c:6883
> dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad cache hit (com/DS)
> lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving 'www.facebook.com/A/IN': 129.134.31.12#53
>
>
> Before running this query I also added dnssec-validation auto; to the options file and restarted the bind9 service. It's pointing to a broken trust chain which I am unsure how to resolve.
>
> Thanks,
> Upen
>
>
> On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev <[hidden email]> wrote:
> On 21/11/2020 21:53, upen wrote:
>
> Hi Upen,
>
> > Could you someone guide me to troubleshoot this further? Thank you for the
> > list.
>
> Your instance of BIND is probably logging to syslog. Look for these logs
> (usually /var/log/messages), and see what BIND is logging. It may shed a
> light on the problem.
>
> Regards,
> Anand
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> --
> upen,
> emerge -uD life (Upgrade Life with dependencies)
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

upen
Hi Mark and everyone,

Thank you for continuing to help me.
I have set DNS validation to auto from no and restarted the  bind9 service.

# egrep dnssec-validation /etc/bind/named.conf.options
        dnssec-validation auto;

#dig +dnssec +cd dnskey .
; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec +cd dnskey .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30138
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 4c28af06251e4b51010000005fbb1b1fa619c694e6bff1b4 (good)
;; QUESTION SECTION:
;.                              IN      DNSKEY

;; ANSWER SECTION:
.                       172780  IN      DNSKEY  256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8=
.                       172780  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
.                       172780  IN      RRSIG   DNSKEY 8 0 172800 20201211000000 20201120000000 20326 . eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 22 20:14:55 CST 2020
;; MSG SIZE  rcvd: 893


The root zone is not forwarded and the file is located at 
#ls -al /usr/share/dns/root.hints*
-rw-r--r-- 1 root root 3311 May 29  2019 /usr/share/dns/root.hints
-rw-r--r-- 1 root root   72 May 29  2019 /usr/share/dns/root.hints.sig

Contents of the root.hints file are pasted at https://dpaste.com/EWKCX34NQ . File is provided with OS package -> dns-root-data  (Description: 2019052802  DNS root data including root zone and DNSSEC key)

Additional files provided by that package
#dpkg-query -L dns-root-data
/.
/usr
/usr/share
/usr/share/dns
/usr/share/dns/root.ds
/usr/share/dns/root.hints
/usr/share/dns/root.hints.sig
/usr/share/dns/root.key
/usr/share/doc
/usr/share/doc/dns-root-data
/usr/share/doc/dns-root-data/changelog.gz
/usr/share/doc/dns-root-data/copyright

Not sure what changed here, I am getting results now even after the "dnssec-validation" set to auto. Really puzzled

#dig @127.0.0.1  +dnssec +cd dnskey www.facebook.com

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 +dnssec +cd dnskey www.facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19781
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 028fb4fde9f61d53010000005fbb1fcca2b3cd29887d7e13 (good)
;; QUESTION SECTION:
;www.facebook.com.              IN      DNSKEY

;; ANSWER SECTION:
www.facebook.com.       2395    IN      CNAME   star-mini.c10r.facebook.com.

;; AUTHORITY SECTION:
c10r.facebook.com.      216     IN      SOA     a.ns.c10r.facebook.com. dns.facebook.com. 1606098709 300 600 600 300

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 22 20:34:52 CST 2020
;; MSG SIZE  rcvd: 176


Thank you,
Upen




On Sun, Nov 22, 2020 at 5:47 PM Mark Andrews <[hidden email]> wrote:
Ok.  Lets start by debugging this from the trust anchor downwards.
Lets see what "dig +dnssec +cd dnskey .” returns.  It should return
something like below with 2 DNSKEY records and a RRSIG for the DNSKEY.
The RRSIG is regenerated daily so it will likely differ.  The DNSKEY
records should be a exact match.  In this case flags contains ‘ad’ which
means that the RRset has previously been validated.

[beetle:~/git/bind9] marka% dig +dnssec +cd dnskey .
;; BADCOOKIE, retrying.

; <<>> DiG 9.15.4 <<>> +dnssec +cd dnskey .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12403
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: f182281b307ab59a010000005fbaf21fcdc7ab7803361e3c (good)
;; QUESTION SECTION:
;.                              IN      DNSKEY

;; ANSWER SECTION:
.                       134751  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
.                       134751  IN      DNSKEY  256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8=
.                       134751  IN      RRSIG   DNSKEY 8 0 172800 20201211000000 20201120000000 20326 . eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 23 10:19:59 AEDT 2020
;; MSG SIZE  rcvd: 893

[beetle:~/git/bind9] marka%

If you don’t get answer like this then we need to work out why.

Do you have a local copy of the root zone?  If so is from IANA
or from somewhere else?

Are you forwarding the root zone? If so what do ALL the forwarders
return for "dig +dnssec +cd dnskey . @<server>” where <server> is
replace by the IP address for each server.  If you are forwarding is
is forward “first” or “only”?

Mark

> On 22 Nov 2020, at 08:20, upen <[hidden email]> wrote:
>
> Hello Ananad, and all,
>
> >www.facebook.com
> $ dig @127.0.0.1 -t A www.facebook.com
>
> ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: a18d9ed2a6d1bcd6010000005fb982763dfdafed174d4ef1 (good)
> ;; QUESTION SECTION:
> ;www.facebook.com.              IN      A
>
> ;; Query time: 4 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Nov 21 15:11:18 CST 2020
> ;; MSG SIZE  rcvd: 73
>
> >  Your instance of BIND is probably logging to syslog. Look for these logs
> > (usually /var/log/messages), and see what BIND is logging. It may shed a
> > light on the problem. 
>
> Thank you. I enabled logging and when I grep for www.facebook.com , I notice the following output from four different log files named.
>
> debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0 127.0.0.1#33706 (www.facebook.com): query: www.facebook.com IN A +E(0)K (127.0.0.1)
> default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 (www.facebook.com): query failed (broken trust chain) for www.facebook.com/IN/A at query.c:6883
> dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad cache hit (com/DS)
> lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving 'www.facebook.com/A/IN': 129.134.31.12#53
>
>
> Before running this query I also added dnssec-validation auto; to the options file and restarted the bind9 service. It's pointing to a broken trust chain which I am unsure how to resolve.
>
> Thanks,
> Upen
>
>
> On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev <[hidden email]> wrote:
> On 21/11/2020 21:53, upen wrote:
>
> Hi Upen,
>
> > Could you someone guide me to troubleshoot this further? Thank you for the
> > list.
>
> Your instance of BIND is probably logging to syslog. Look for these logs
> (usually /var/log/messages), and see what BIND is logging. It may shed a
> light on the problem.
>
> Regards,
> Anand
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> --
> upen,
> emerge -uD life (Upgrade Life with dependencies)
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]



--
upen,
emerge -uD life (Upgrade Life with dependencies)

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Two copies of recent posts

Bind-Users forum mailing list
In reply to this post by Mark Andrews
I've been getting two identical copies of recent posts to this list
(such as this item). This only started happening in the past 24 hours
or so. Is anyone else seeing this?

Upon examination of the headers of the two copies, it looks like ISC's
list-servers are doing the duplication.

(The first part of the actual message follows the headers.)

---------
Received: from iment0.iment.com (localhost [127.0.0.1])
        by imes.imemail.iment.com (Postfix) with ESMTP id B72843283403
        for <[hidden email]>; Sun, 22 Nov 2020 18:48:18 -0500 (EST)
Received: from lists.isc.org (lists.isc.org [149.20.1.60])
        by iment0.iment.com (Postfix) with ESMTP id 7B3C3607948F
        for <[hidden email]>; Sun, 22 Nov 2020 18:48:18 -0500 (EST)
Received: from lists.isc.org (localhost [127.0.0.1])
        by lists.isc.org (Postfix) with ESMTP id B380C67F367;
        Sun, 22 Nov 2020 23:47:27 +0000 (UTC)
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53])
 by lists.isc.org (Postfix) with ESMTP id 026B967ED73;
 Sun, 22 Nov 2020 23:47:23 +0000 (UTC)
---------
Received: from iment0.iment.com (localhost [127.0.0.1])
        by imes.imemail.iment.com (Postfix) with ESMTP id EDA193283403
        for <[hidden email]>; Sun, 22 Nov 2020 18:48:27 -0500 (EST)
Received: from lists.isc.org (lists.isc.org [149.20.1.60])
        by iment0.iment.com (Postfix) with ESMTP id B3A43607948F
        for <[hidden email]>; Sun, 22 Nov 2020 18:48:27 -0500 (EST)
Received: from lists.isc.org (localhost [127.0.0.1])
        by lists.isc.org (Postfix) with ESMTP id E414B67F36E;
        Sun, 22 Nov 2020 23:47:27 +0000 (UTC)
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53])
 by lists.isc.org (Postfix) with ESMTP id 026B967ED73;
 Sun, 22 Nov 2020 23:47:23 +0000 (UTC)
----------


On Mon, 23 Nov 2020 10:47:20 +1100
Mark Andrews <[hidden email]> wrote:

> Ok.  Lets start by debugging this from the trust anchor downwards.
> Lets see what "dig +dnssec +cd dnskey .” returns.  It should return
> something like below with 2 DNSKEY records and a RRSIG for the DNSKEY.
> The RRSIG is regenerated daily so it will likely differ.  The DNSKEY
> records should be a exact match.  In this case flags contains ‘ad’ which
> means that the RRset has previously been validated.

> > bind-users mailing list
> > [hidden email]
> > https://lists.isc.org/mailman/listinfo/bind-users 
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

Mark Andrews
In reply to this post by upen


> On 23 Nov 2020, at 13:37, upen <[hidden email]> wrote:
>
> Hi Mark and everyone,
>
> Thank you for continuing to help me.
> I have set DNS validation to auto from no and restarted the  bind9 service.
>
> # egrep dnssec-validation /etc/bind/named.conf.options
>         dnssec-validation auto;
>
> #dig +dnssec +cd dnskey .
> ; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec +cd dnskey .
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30138
> ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; COOKIE: 4c28af06251e4b51010000005fbb1b1fa619c694e6bff1b4 (good)
> ;; QUESTION SECTION:
> ;.                              IN      DNSKEY
>
> ;; ANSWER SECTION:
> .                       172780  IN      DNSKEY  256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8=
> .                       172780  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
> .                       172780  IN      RRSIG   DNSKEY 8 0 172800 20201211000000 20201120000000 20326 . eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw==
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sun Nov 22 20:14:55 CST 2020
> ;; MSG SIZE  rcvd: 893

so it looks like you are correctly able to validate the root’s DNSKEY records (‘ad’ is set in flags).
Next look at the next delegation to COM.  The DS record for COM should look like this

[beetle:bin/tests/system] marka% dig DS com +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.15.4 <<>> DS com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4356
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 5b7d57a994cac977010000005fbb2bcb06affb16b27b98ff (good)
;; QUESTION SECTION:
;com. IN DS

;; ANSWER SECTION:
com. 33649 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 33649 IN RRSIG DS 8 1 86400 20201205050000 20201122040000 26116 . lYnjXIlENOzhY5t94JrTnNjkRxfaIvfhfwrxC4KQbVgGIbqfxRqjGlIu 8JIHQaKoIfxXqP93MNhkKvFhOK3t/hYGvQEND/A7x+ktC+0uQFvF0CvE p3qRwQ0HuwR8OSXyS07AjZWTjSUXKqI8/bctkx7CegJtn8uk872tdqEF dnWZT6Tvqtt2NrveR5baSdHybrmoftbCDxndfRKOv/pjcpe0Qy7EDXWQ YL4I9qPtA5+GdxUWvBTWDXCrYKWxfoj6S5L+kPproaiGCABq7XalJIt8 RdbBCkCANipsmBXAv61vy3BEyuJEjQqFxzi+MleJfxRSkaljIXd8A/d4 UM7sRg==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 23 14:26:03 AEDT 2020
;; MSG SIZE  rcvd: 395

[beetle:bin/tests/system] marka%

and the DNSKEY records for COM should look like this

[beetle:bin/tests/system] marka% dig DNSKEY com +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.15.4 <<>> DNSKEY com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25522
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 3ebc796c874b8ce9010000005fbb2c17cd6a9d9d8b8a5977 (good)
;; QUESTION SECTION:
;com. IN DNSKEY

;; ANSWER SECTION:
com. 33656 IN DNSKEY 256 3 8 AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sD ROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPi Msbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgn ttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM=
com. 33656 IN DNSKEY 257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsB fKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEm u/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPN IwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0H XvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh 2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpK Nnv4oPo/
com. 33656 IN RRSIG DNSKEY 8 1 86400 20201206192421 20201121191921 30909 com. K3w8cixeKqKbELJMyFynhuA+1oQYbLNSZhZ1NcSofx+ND3ImYoQ4rodY uZokFmKvJkZvrBMSF0tfwWLYbyX+Xw2Fb//KKDD6gluN/evmoH3xv/XC j4WFRUwF1L5jPjeylY233GzQN2RVHDFFpsdczcGwNp2BqyBMXHe2Lv+1 kOeTfEoA/XJdZSEMlo3V0xq6sxB9747wRfHm17ockLIHtWMI8eSyIO92 nTQj2WZninySf6N8yb5tGUu0ABoXlVF6fc9INybFNTZg7gF85hfCtjK4 Ko6W97d1CW5AyvGprYtJgNQDqzqoP7qkvFI4oSRDZJITwamhci90hBMv cXZDWA==

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 23 14:27:19 AEDT 2020
;; MSG SIZE  rcvd: 805

[beetle:bin/tests/system] marka%

and as facebook.com is not signed you should be able to get a negative response like this

[beetle:bin/tests/system] marka% dig DS facebook.com +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.15.4 <<>> DS facebook.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28221
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 8502baa6ff39d4e6010000005fbb2c54d8973480d1f10428 (good)
;; QUESTION SECTION:
;facebook.com. IN DS

;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1606102077 1800 900 604800 86400
com. 900 IN RRSIG SOA 8 1 900 20201130032757 20201123021757 31510 com. cwoLEgQQ8YIPJi62EkW5J7qqTJuA/uOc477ST6Iy45DstUYd4rj6ecGK fJHIku27I2EBXqacjgi3oE7DxFKWYvxsr3mvata1bCdcGEa1tv3RS9/E huSaFE4ZNTSWRU8RNRpkqauWpyQRDve2hUkVTARNcHWYEFxrMEz6dL5q V5qCzI+h0CiWmo249Akbqn2sIhbgmSqolkkrXd7C936r1w==
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 8 2 86400 20201129054027 20201122043027 31510 com. kZw7h9mbKgXQ2YhIp+jKmg5xOUmZq7HPGRTZ2ERwIA5FjOBIkEWqWHga SZhV/78SqH26QbwCXQnf0Hv7xzMdVwYOr7FwDE+7a//cL8yRe5pBd5Bb y1QORmqRT8kTshhedhwyxjzk4TxcN8M0/JqiDUhb6iHacDFqqwIhm13l Wy0xjM5nojLmY/fYuH/mKSsz5XlfEKGqG5q1FbZUZWhj3Q==
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
I28FT380NFMJ3TJ970NBAD0HSSK1LEOK.com. 900 IN RRSIG NSEC3 8 2 86400 20201127071904 20201120060904 31510 com. VuV00I8jZMAbQmVLBub0Yfk5eEng8NkCFrPCvK/19YpzEzkWKPpOVcya xZqYZzAVBhSP/n2/kcC8tkDMFZHL8rbGAg/jPpJCAhp2Tszhc8pzqKtZ CmFMZtO8HQGx1ZjCGpzHZ+6/5irvE7NJrkndTmoOd/1RfS/WeZseAkCb 204Td7fE0C5D/8oGRb81vFICH2IjnykeoEguPvWLXnWfqw==
I28FT380NFMJ3TJ970NBAD0HSSK1LEOK.com. 900 IN NSEC3 1 1 0 - I28GLTLV5D2H16BES4T7GHH4AABNFOB0 NS DS RRSIG

;; Query time: 99 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 23 14:28:20 AEDT 2020
;; MSG SIZE  rcvd: 889



> The root zone is not forwarded and the file is located at
> #ls -al /usr/share/dns/root.hints*
> -rw-r--r-- 1 root root 3311 May 29  2019 /usr/share/dns/root.hints
> -rw-r--r-- 1 root root   72 May 29  2019 /usr/share/dns/root.hints.sig
>
> Contents of the root.hints file are pasted at https://dpaste.com/EWKCX34NQ . File is provided with OS package -> dns-root-data  (Description: 2019052802  DNS root data including root zone and DNSSEC key)
>
> Additional files provided by that package
> #dpkg-query -L dns-root-data
> /.
> /usr
> /usr/share
> /usr/share/dns
> /usr/share/dns/root.ds
> /usr/share/dns/root.hints
> /usr/share/dns/root.hints.sig
> /usr/share/dns/root.key
> /usr/share/doc
> /usr/share/doc/dns-root-data
> /usr/share/doc/dns-root-data/changelog.gz
> /usr/share/doc/dns-root-data/copyright
>
> Not sure what changed here, I am getting results now even after the "dnssec-validation" set to auto. Really puzzled
>
> #dig @127.0.0.1  +dnssec +cd dnskey www.facebook.com
>
> ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 +dnssec +cd dnskey www.facebook.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19781
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; COOKIE: 028fb4fde9f61d53010000005fbb1fcca2b3cd29887d7e13 (good)
> ;; QUESTION SECTION:
> ;www.facebook.com.              IN      DNSKEY
>
> ;; ANSWER SECTION:
> www.facebook.com.       2395    IN      CNAME   star-mini.c10r.facebook.com.
>
> ;; AUTHORITY SECTION:
> c10r.facebook.com.      216     IN      SOA     a.ns.c10r.facebook.com. dns.facebook.com. 1606098709 300 600 600 300
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sun Nov 22 20:34:52 CST 2020
> ;; MSG SIZE  rcvd: 176
>
>
> Thank you,
> Upen
>
>
>
>
> On Sun, Nov 22, 2020 at 5:47 PM Mark Andrews <[hidden email]> wrote:
> Ok.  Lets start by debugging this from the trust anchor downwards.
> Lets see what "dig +dnssec +cd dnskey .” returns.  It should return
> something like below with 2 DNSKEY records and a RRSIG for the DNSKEY.
> The RRSIG is regenerated daily so it will likely differ.  The DNSKEY
> records should be a exact match.  In this case flags contains ‘ad’ which
> means that the RRset has previously been validated.
>
> [beetle:~/git/bind9] marka% dig +dnssec +cd dnskey .
> ;; BADCOOKIE, retrying.
>
> ; <<>> DiG 9.15.4 <<>> +dnssec +cd dnskey .
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12403
> ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; COOKIE: f182281b307ab59a010000005fbaf21fcdc7ab7803361e3c (good)
> ;; QUESTION SECTION:
> ;.                              IN      DNSKEY
>
> ;; ANSWER SECTION:
> .                       134751  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
> .                       134751  IN      DNSKEY  256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8=
> .                       134751  IN      RRSIG   DNSKEY 8 0 172800 20201211000000 20201120000000 20326 . eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw==
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Nov 23 10:19:59 AEDT 2020
> ;; MSG SIZE  rcvd: 893
>
> [beetle:~/git/bind9] marka%
>
> If you don’t get answer like this then we need to work out why.
>
> Do you have a local copy of the root zone?  If so is from IANA
> or from somewhere else?
>
> Are you forwarding the root zone? If so what do ALL the forwarders
> return for "dig +dnssec +cd dnskey . @<server>” where <server> is
> replace by the IP address for each server.  If you are forwarding is
> is forward “first” or “only”?
>
> Mark
>
> > On 22 Nov 2020, at 08:20, upen <[hidden email]> wrote:
> >
> > Hello Ananad, and all,
> >
> > >www.facebook.com
> > $ dig @127.0.0.1 -t A www.facebook.com
> >
> > ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ; COOKIE: a18d9ed2a6d1bcd6010000005fb982763dfdafed174d4ef1 (good)
> > ;; QUESTION SECTION:
> > ;www.facebook.com.              IN      A
> >
> > ;; Query time: 4 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Sat Nov 21 15:11:18 CST 2020
> > ;; MSG SIZE  rcvd: 73
> >
> > >  Your instance of BIND is probably logging to syslog. Look for these logs
> > > (usually /var/log/messages), and see what BIND is logging. It may shed a
> > > light on the problem.  
> >
> > Thank you. I enabled logging and when I grep for www.facebook.com , I notice the following output from four different log files named.
> >
> > debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0 127.0.0.1#33706 (www.facebook.com): query: www.facebook.com IN A +E(0)K (127.0.0.1)
> > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 (www.facebook.com): query failed (broken trust chain) for www.facebook.com/IN/A at query.c:6883
> > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad cache hit (com/DS)
> > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving 'www.facebook.com/A/IN': 129.134.31.12#53
> >
> >
> > Before running this query I also added dnssec-validation auto; to the options file and restarted the bind9 service. It's pointing to a broken trust chain which I am unsure how to resolve.
> >
> > Thanks,
> > Upen
> >
> >
> > On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev <[hidden email]> wrote:
> > On 21/11/2020 21:53, upen wrote:
> >
> > Hi Upen,
> >
> > > Could you someone guide me to troubleshoot this further? Thank you for the
> > > list.
> >
> > Your instance of BIND is probably logging to syslog. Look for these logs
> > (usually /var/log/messages), and see what BIND is logging. It may shed a
> > light on the problem.
> >
> > Regards,
> > Anand
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> >
> > ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> >
> >
> > bind-users mailing list
> > [hidden email]
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
> >
> > --
> > upen,
> > emerge -uD life (Upgrade Life with dependencies)
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> >
> > ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> >
> >
> > bind-users mailing list
> > [hidden email]
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: [hidden email]
>
>
>
> --
> upen,
> emerge -uD life (Upgrade Life with dependencies)

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Two copies of recent posts

Bind-Users forum mailing list
In reply to this post by Bind-Users forum mailing list
On Sun, 2020-11-22 at 21:56 -0500, Paul Kosinski via bind-users wrote:
> I've been getting two identical copies of recent posts to this list...

Me too, but it's because of people hitting reply-all thinking that they
are replying to the list and the poster.  People really need to verify
who they are replying to, it's easy to see from the "Servfail on Bind
-9.16.1" thread where the problem(s) exist.

Note Paul, I only received one copy of your post, and you should be only
receiving one copy of my reply.

-Jim P.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Servfail on Bind -9.16.1

upen
In reply to this post by Mark Andrews
Hello,
Thank you.

1. DS record for com
#dig DS com +dnssec

; <<>> DiG 9.16.1-Ubuntu <<>> DS com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14029
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: fdfd77fc04700d72010000005fbb323fa7e65af53e803915 (good)
;; QUESTION SECTION:
;com.                           IN      DS

;; ANSWER SECTION:
com.                    80472   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    80472   IN      RRSIG   DS 8 1 86400 20201205170000 20201122160000 26116 . fu2mVhKX9+oDAx9T8LrIyli5yTBk28mCDw8SbAuIFKuRhGI8QiOgchEZ 0KzSaSpfBHpgVoq6mN8WFHeSPhPeZ5EOMbXvMjv9nvHNVKylu4C5mSRt nWuoVXU531uYFEtuqJgcCoNBsiIznbq/3GkAZeYkc8pj/Hkma/p0/QYh Lb1Mz/lW4SJNc03Kw0jDNw6Z2C1XGvDG3iHeJ6CFrZrvp7U41qDNqZEm NT7T7/JXoUdy6evi6LCLXtZ4QAqKv5HReDRlVTkmAWVnQw+PtJ75nvCV 4pP3jp5ih70OSCQx3iB7xJ/8GtWiI5DvD9fmlbX8CRNu12sKX1/e/Lxd Ph1JXw==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 22 21:53:35 CST 2020
;; MSG SIZE  rcvd: 395



2. DNSSEC KEY for com
#dig DNSKEY com +dnssec

; <<>> DiG 9.16.1-Ubuntu <<>> DNSKEY com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4992
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: dc1c3f1a640d17b0010000005fbb32a0c7fadb271d47476e (good)
;; QUESTION SECTION:
;com.                           IN      DNSKEY

;; ANSWER SECTION:
com.                    80375   IN      DNSKEY  257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsB fKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEm u/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPN IwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0H XvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh 2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpK Nnv4oPo/
com.                    80375   IN      DNSKEY  256 3 8 AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sD ROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPi Msbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgn ttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM=
com.                    80375   IN      RRSIG   DNSKEY 8 1 86400 20201206192421 20201121191921 30909 com. K3w8cixeKqKbELJMyFynhuA+1oQYbLNSZhZ1NcSofx+ND3ImYoQ4rodY uZokFmKvJkZvrBMSF0tfwWLYbyX+Xw2Fb//KKDD6gluN/evmoH3xv/XC j4WFRUwF1L5jPjeylY233GzQN2RVHDFFpsdczcGwNp2BqyBMXHe2Lv+1 kOeTfEoA/XJdZSEMlo3V0xq6sxB9747wRfHm17ockLIHtWMI8eSyIO92 nTQj2WZninySf6N8yb5tGUu0ABoXlVF6fc9INybFNTZg7gF85hfCtjK4 Ko6W97d1CW5AyvGprYtJgNQDqzqoP7qkvFI4oSRDZJITwamhci90hBMv cXZDWA==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 22 21:55:12 CST 2020
;; MSG SIZE  rcvd: 805



3. DS Record for facebook.com

#dig @127.0.0.1 DS facebook.com +dnssec

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 DS facebook.com +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46111
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: ccfca253df729ea8010000005fbb331e11884fb6d63208e5 (good)
;; QUESTION SECTION:
;facebook.com.                  IN      DS

;; AUTHORITY SECTION:
com.                    882     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1606103797 1800 900 604800 86400
com.                    882     IN      RRSIG   SOA 8 1 900 20201130035637 20201123024637 31510 com. CGHfYUjxwqYzK47ZkmMbdc7EVOnRYIjznaXmlMUphkxmWaw94HPio88H U8kUx3H1wd3h9Ahtgsk74ctwILFBiUH2SHtQZ7HYJvRAZBv5+JvxSH54 aKLMOJWBoeS2M9UFeUcoC/IAkgyOG/4sfkz0W4hdV6vsgZsTLCoGjXnj kQu1W/d6b7SttLX0pMg6OIwEXJbGlWnRIycaBt19tFmm6A==
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 882 IN RRSIG NSEC3 8 2 86400 20201129054027 20201122043027 31510 com. kZw7h9mbKgXQ2YhIp+jKmg5xOUmZq7HPGRTZ2ERwIA5FjOBIkEWqWHga SZhV/78SqH26QbwCXQnf0Hv7xzMdVwYOr7FwDE+7a//cL8yRe5pBd5Bb y1QORmqRT8kTshhedhwyxjzk4TxcN8M0/JqiDUhb6iHacDFqqwIhm13l Wy0xjM5nojLmY/fYuH/mKSsz5XlfEKGqG5q1FbZUZWhj3Q==
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 882 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
I28FT380NFMJ3TJ970NBAD0HSSK1LEOK.com. 882 IN RRSIG NSEC3 8 2 86400 20201127071904 20201120060904 31510 com. VuV00I8jZMAbQmVLBub0Yfk5eEng8NkCFrPCvK/19YpzEzkWKPpOVcya xZqYZzAVBhSP/n2/kcC8tkDMFZHL8rbGAg/jPpJCAhp2Tszhc8pzqKtZ CmFMZtO8HQGx1ZjCGpzHZ+6/5irvE7NJrkndTmoOd/1RfS/WeZseAkCb 204Td7fE0C5D/8oGRb81vFICH2IjnykeoEguPvWLXnWfqw==
I28FT380NFMJ3TJ970NBAD0HSSK1LEOK.com. 882 IN NSEC3 1 1 0 - I28GLTLV5D2H16BES4T7GHH4AABNFOB0 NS DS RRSIG

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 22 21:57:18 CST 2020
;; MSG SIZE  rcvd: 889


Thank you for that information Mark. I appreciate it. It looks like it's working now. Steps provided will help debug issues in future. :-)

Best,
Upen






_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Two copies of recent posts

Reindl Harald
In reply to this post by Bind-Users forum mailing list


Am 23.11.20 um 04:58 schrieb Jim Popovitch via bind-users:
> On Sun, 2020-11-22 at 21:56 -0500, Paul Kosinski via bind-users wrote:
>> I've been getting two identical copies of recent posts to this list...
>
> Me too, but it's because of people hitting reply-all thinking that they
> are replying to the list and the poster.  

why don't you just read what you respond to when "Upon examination of
the headers of the two copies, it looks like ISC's list-servers are
doing the duplication" including the headers where part of the original
post?

typically that happens when a connection was interruptred (no matter
smtp or local lmtp) in the moment it would have said "OK got it" from
the destination hop and so the client tries again

below the headers of the OP

P.S.: this is a reply-all by intention because it takes ages on this
list when you are moderated because you answered to a personmal attack
instead suck it

---------

Received: from iment0.iment.com (localhost [127.0.0.1])
        by imes.imemail.iment.com (Postfix) with ESMTP id B72843283403
        for <[hidden email]>; Sun, 22 Nov 2020 18:48:18 -0500 (EST)
Received: from lists.isc.org (lists.isc.org [149.20.1.60])
        by iment0.iment.com (Postfix) with ESMTP id 7B3C3607948F
        for <[hidden email]>; Sun, 22 Nov 2020 18:48:18 -0500 (EST)
Received: from lists.isc.org (localhost [127.0.0.1])
        by lists.isc.org (Postfix) with ESMTP id B380C67F367;
        Sun, 22 Nov 2020 23:47:27 +0000 (UTC)
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53])
  by lists.isc.org (Postfix) with ESMTP id 026B967ED73;
  Sun, 22 Nov 2020 23:47:23 +0000 (UTC)

---------

Received: from iment0.iment.com (localhost [127.0.0.1])
        by imes.imemail.iment.com (Postfix) with ESMTP id EDA193283403
        for <[hidden email]>; Sun, 22 Nov 2020 18:48:27 -0500 (EST)
Received: from lists.isc.org (lists.isc.org [149.20.1.60])
        by iment0.iment.com (Postfix) with ESMTP id B3A43607948F
        for <[hidden email]>; Sun, 22 Nov 2020 18:48:27 -0500 (EST)
Received: from lists.isc.org (localhost [127.0.0.1])
        by lists.isc.org (Postfix) with ESMTP id E414B67F36E;
        Sun, 22 Nov 2020 23:47:27 +0000 (UTC)
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53])
  by lists.isc.org (Postfix) with ESMTP id 026B967ED73;
  Sun, 22 Nov 2020 23:47:23 +0000 (UTC)

----------
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Two copies of recent posts

Matus UHLAR - fantomas
In reply to this post by Bind-Users forum mailing list
On 22.11.20 21:56, Paul Kosinski via bind-users wrote:
>I've been getting two identical copies of recent posts to this list
>(such as this item). This only started happening in the past 24 hours
>or so. Is anyone else seeing this?
>
>Upon examination of the headers of the two copies, it looks like ISC's
>list-servers are doing the duplication.

No, it's some people sending duplicate mail:

Cc: [hidden email], BIND Users <[hidden email]>

IIRC this happened to me when I set up [hidden email] as list address
and when using list-reply, my MUA mutt decided the mail has to go to another
address as long:

List-Post: <mailto:[hidden email]>

in this case, this seems to be OP's fault, when first reply went to [hidden email]
together with [hidden email] and people who replied continued
sending to multiple addresses.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
12