DNSSEC error resolving gpo.gov ?
Alexandra Yang
drayales at gmail.com
Wed Mar 15 00:45:49 UTC 2023
Hi Mark,
We noticed the problem because client can't resolve www.federalregister.gov,
hosted by ns3.gpo.gov and ns4.gpo.gov. Our error is similar to the previous
post, plus some errors with the gpo.gov nameserver.I just wonder if it's
the config problem with our BIND 9.16.37 or problem with the gpo.gov
nameserver ?
We have dnssec-validation yes, not sure what to do if there is problem with
our config.
Mar 13 18:02:18 ipam-dns-bl-5 named[2881]: client @0xaf1cb158
10.10.99.155#55940 (ns3.gpo.gov): query failed (broken trust chain) for
ns3.gpo.gov/IN/A at
/mnt/proj/package-7-3/nessy/bind-9.16/lib/ns/query.c:7449
Mar 14 10:23:32 ipam-dns-in-1 named[3713]: broken trust chain
resolving 'ns3.gpo.gov/A/IN': 162.140.15.100#53
Mar 13 16:18:46 ipam-dns-bl-4 named[2928]: broken trust chain resolving '
www.federalregister.gov/AAAA/IN': 162.140.15.100#53
Thanks!
On Tue, Mar 14, 2023 at 7:30 PM Mark Andrews <marka at isc.org> wrote:
> Why are you trying to query this address? The IPv4 servers are
> 162.140.15.100
> and 162.140.254.200.
>
> > On 15 Mar 2023, at 07:53, Darren Ankney <darren.ankney at gmail.com> wrote:
> >
> > This is failing for me regularly:
> >
> > $ dig ns3.gpo.gov +dnssec +norecurse @162.140.15.200
> > ;; communications error to 162.140.15.200#53: timed out
> > ;; communications error to 162.140.15.200#53: timed out
> > ;; communications error to 162.140.15.200#53: timed out
> >
> > ; <<>> DiG 9.18.11 <<>> ns3.gpo.gov +dnssec +norecurse @162.140.15.200
> > ;; global options: +cmd
> > ;; no servers could be reached
> >
> > but all other combos of ns3.gpo.gov or ns4.gpo.gov and 162.140.15.100
> > and 162.140.15.200 work fine.
> >
> > On Tue, Mar 14, 2023 at 12:03 PM Tim Maestas <tmaestas95 at gmail.com>
> wrote:
> >>
> >> I've been having problems resolving www.federalregister.gov which is
> served by ns3.gpo.gov and ns4.gpo.gov, using BIND 9.16.27. Haven't been
> able to quite figure out why so I've stuck an NTA in for the time being.
> >>
> >> On Tue, Mar 14, 2023 at 8:52 AM Stephane Bortzmeyer <bortzmeyer at nic.fr>
> wrote:
> >>>
> >>> On Tue, Mar 14, 2023 at 11:35:38AM -0400,
> >>> Alexandra Yang <drayales at gmail.com> wrote
> >>> a message of 183 lines which said:
> >>>
> >>>> I wonder if any of your nameserver resolve it just fine, like 8.8.8.8
> >>>> works
> >>>
> >>> Among RIPE Atlas probes, most succeed:
> >>>
> >>> % blaeu-resolve --displayvalidation -r 100 --type A gpo.gov
> >>> [ (Authentic Data flag) 162.140.14.82] : 46 occurrences
> >>> [162.140.14.82] : 52 occurrences
> >>> [ERROR: SERVFAIL] : 2 occurrences
> >>> Test #50935448 done at 2023-03-14T15:46:50Z
> >>>
> >>> The two whose resolvers servfail may have stricter/paranoid resolvers.
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230314/bdafec41/attachment-0001.htm>
More information about the bind-users
mailing list