Servfail on Bind -9.16.1

Mark Andrews marka at isc.org
Sun Nov 22 23:47:20 UTC 2020 

Ok.  Lets start by debugging this from the trust anchor downwards.
Lets see what "dig +dnssec +cd dnskey .” returns.  It should return
something like below with 2 DNSKEY records and a RRSIG for the DNSKEY.
The RRSIG is regenerated daily so it will likely differ.  The DNSKEY
records should be a exact match.  In this case flags contains ‘ad’ which
means that the RRset has previously been validated.

[beetle:~/git/bind9] marka% dig +dnssec +cd dnskey .
;; BADCOOKIE, retrying.

; <<>> DiG 9.15.4 <<>> +dnssec +cd dnskey .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12403
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: f182281b307ab59a010000005fbaf21fcdc7ab7803361e3c (good)
;; QUESTION SECTION:
;.				IN	DNSKEY

;; ANSWER SECTION:
.			134751	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
.			134751	IN	DNSKEY	256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8=
.			134751	IN	RRSIG	DNSKEY 8 0 172800 20201211000000 20201120000000 20326 . eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 23 10:19:59 AEDT 2020
;; MSG SIZE  rcvd: 893

[beetle:~/git/bind9] marka% 

If you don’t get answer like this then we need to work out why.

Do you have a local copy of the root zone?  If so is from IANA
or from somewhere else?

Are you forwarding the root zone? If so what do ALL the forwarders
return for "dig +dnssec +cd dnskey . @<server>” where <server> is
replace by the IP address for each server.  If you are forwarding is
is forward “first” or “only”?

Mark

> On 22 Nov 2020, at 08:20, upen <upendra.gandhi at gmail.com> wrote:
> 
> Hello Ananad, and all,
> 
> >www.facebook.com
> $ dig @127.0.0.1 -t A www.facebook.com
> 
> ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: a18d9ed2a6d1bcd6010000005fb982763dfdafed174d4ef1 (good)
> ;; QUESTION SECTION:
> ;www.facebook.com.              IN      A
> 
> ;; Query time: 4 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Nov 21 15:11:18 CST 2020
> ;; MSG SIZE  rcvd: 73
> 
> >  Your instance of BIND is probably logging to syslog. Look for these logs
> > (usually /var/log/messages), and see what BIND is logging. It may shed a
> > light on the problem.  
> 
> Thank you. I enabled logging and when I grep for www.facebook.com , I notice the following output from four different log files named.
> 
> debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0 127.0.0.1#33706 (www.facebook.com): query: www.facebook.com IN A +E(0)K (127.0.0.1)
> default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 (www.facebook.com): query failed (broken trust chain) for www.facebook.com/IN/A at query.c:6883
> dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad cache hit (com/DS)
> lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving 'www.facebook.com/A/IN': 129.134.31.12#53
> 
> 
> Before running this query I also added dnssec-validation auto; to the options file and restarted the bind9 service. It's pointing to a broken trust chain which I am unsure how to resolve.
> 
> Thanks,
> Upen
> 
> 
> On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev <anandb at ripe.net> wrote:
> On 21/11/2020 21:53, upen wrote:
> 
> Hi Upen,
> 
> > Could you someone guide me to troubleshoot this further? Thank you for the
> > list.
> 
> Your instance of BIND is probably logging to syslog. Look for these logs
> (usually /var/log/messages), and see what BIND is logging. It may shed a
> light on the problem.
> 
> Regards,
> Anand
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> -- 
> upen,
> emerge -uD life (Upgrade Life with dependencies)
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list