Reasons of SERVFAIL
Alessandro Vesely
vesely at tana.it
Sat Feb 8 11:17:32 UTC 2020
Hi
On Sat 08/Feb/2020 12:05:23 +0100 Ondřej Surý wrote:
> If `dig +dnssec +cd emeraldonion.org mx` will give you answers and `dig +dnssec emeraldonion.org mx` does not, then it’s most probably validation failure.
Aha, +cd is what I wanted to learn. Thanks a lot!
>
> Then of course based on your logging setup, the validation failures might be visible in BIND 9 log.
Indeed:
/var/log/named.log:08-Feb-2020 10:46:34.703 lame-servers: info: no valid RRSIG resolving '_mta-sts.emeraldonion.org/DS/IN': 45.76.136.88#53
/var/log/named.log:08-Feb-2020 10:46:34.971 lame-servers: info: no valid DS resolving '_mta-sts.emeraldonion.org/TXT/IN': 45.76.37.222#53
/var/log/named.log:08-Feb-2020 10:46:34.990 lame-servers: info: broken trust chain resolving '_mta-sts.emeraldonion.org/TXT/IN': 45.76.136.88#53
/var/log/named.log:08-Feb-2020 10:46:35.010 lame-servers: info: insecurity proof failed resolving 'emeraldonion.org/MX/IN': 45.32.180.186#53
[...]
Best
Ale
--
More information about the bind-users
mailing list