Servfail on Bind -9.16.1

upen upendra.gandhi at gmail.com
Sat Nov 21 21:20:26 UTC 2020 

Hello Ananad, and all,

>www.facebook.com
$ dig @127.0.0.1 -t A www.facebook.com

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: a18d9ed2a6d1bcd6010000005fb982763dfdafed174d4ef1 (good)
;; QUESTION SECTION:
;www.facebook.com.              IN      A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 21 15:11:18 CST 2020
;; MSG SIZE  rcvd: 73

>  Your instance of BIND is probably logging to syslog. Look for these logs
> (usually /var/log/messages), and see what BIND is logging. It may shed a
> light on the problem.

Thank you. I enabled logging and when I grep for www.facebook.com , I
notice the following output from four different log files named.

debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0
127.0.0.1#33706 (www.facebook.com): query: www.facebook.com IN A +E(0)K
(127.0.0.1)
default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706
(www.facebook.com): query failed (broken trust chain) for
www.facebook.com/IN/A at query.c:6883
dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad
cache hit (com/DS)
lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
www.facebook.com/A/IN': 129.134.31.12#53


Before running this query I also added dnssec-validation auto; to the
options file and restarted the bind9 service. It's pointing to a broken
trust chain which I am unsure how to resolve.

Thanks,
Upen


On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev <anandb at ripe.net> wrote:

> On 21/11/2020 21:53, upen wrote:
>
> Hi Upen,
>
> > Could you someone guide me to troubleshoot this further? Thank you for
> the
> > list.
>
> Your instance of BIND is probably logging to syslog. Look for these logs
> (usually /var/log/messages), and see what BIND is logging. It may shed a
> light on the problem.
>
> Regards,
> Anand
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
upen,
emerge -uD life (Upgrade Life with dependencies)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201121/4ead1f03/attachment-0001.htm>

More information about the bind-users mailing list