dig ds c10r.facebook.com returns SERVFAIL
Laurent Bigonville
bigon+bind at bigon.be
Mon Sep 3 20:26:35 UTC 2018
On 3/09/18 21:03, Tony Finch wrote:
> Laurent Bigonville <bigon+bind at bigon.be> wrote:
>> With bind9 server (I can reproduce that on RHEL7 with 9.9.4, debian stable
>> with 9.10.3 and also debian unstable with 9.11.4) when doing "dig ds
>> c10r.facebook.com @10.122.17.186", I get a SERVFAIL.
> This is because the authoritative servers for facebook.com do not
> implement any DNSSEC, so they don't know that DS records are found on the
> parent side of a zone cut, so they return a referral instead of a negative
> answer. BIND treats this as a server failure, and does not attempt to work
> around the antediluvian ignorance of the auth servers. In practice it
> shouldn't matter since there shouldn't be any signed zones underneath a
> server that doesn't know about DNSSEC.
The problem is that systemd-resolved (maybe other software are doing the
same?) is asking the DS record to check if the record is supposed to be
signed (well I think) before trying to do DNSSEC validation of the
client side.
I'm also wondering (and pardon my ignorance but), why does bind tries
all the forwarders and the the auth server if the 1st server already
reply with an empty answer and an NOERROR?
More information about the bind-users
mailing list