DNSSEC error resolving gpo.gov ?

Crist Clark cjc+bind-users at pumpky.net
Wed Mar 15 01:02:08 UTC 2023 

rndc dumpdb
rndc flushtree gov

Did that help? Going back to the dumped cache, what do the relevant names
have in there?


On Tue, Mar 14, 2023 at 5:46 PM Alexandra Yang <drayales at gmail.com> wrote:

> Hi Mark,
>
> We noticed the problem because client can't resolve
> www.federalregister.gov, hosted by ns3.gpo.gov and ns4.gpo.gov. Our error
> is similar to the previous post, plus some errors with the gpo.gov
> nameserver.I just wonder if it's the config problem with our BIND 9.16.37
> or problem with the gpo.gov nameserver ?
>
> We have dnssec-validation yes, not sure what to do if there is problem
> with our config.
>
>
> Mar 13 18:02:18 ipam-dns-bl-5 named[2881]: client @0xaf1cb158
> 10.10.99.155#55940 (ns3.gpo.gov): query failed (broken trust chain) for
> ns3.gpo.gov/IN/A at
> /mnt/proj/package-7-3/nessy/bind-9.16/lib/ns/query.c:7449
>
>
> Mar 14 10:23:32 ipam-dns-in-1 named[3713]: broken trust chain resolving 'ns3.gpo.gov/A/IN': 162.140.15.100#53
>
>
> Mar 13 16:18:46 ipam-dns-bl-4 named[2928]: broken trust chain resolving '
> www.federalregister.gov/AAAA/IN': 162.140.15.100#53
>
>
>
> Thanks!
>
>
>
> On Tue, Mar 14, 2023 at 7:30 PM Mark Andrews <marka at isc.org> wrote:
>
>> Why are you trying to query this address?  The IPv4 servers are
>> 162.140.15.100
>> and 162.140.254.200.
>>
>> > On 15 Mar 2023, at 07:53, Darren Ankney <darren.ankney at gmail.com>
>> wrote:
>> >
>> > This is failing for me regularly:
>> >
>> > $ dig ns3.gpo.gov +dnssec +norecurse @162.140.15.200
>> > ;; communications error to 162.140.15.200#53: timed out
>> > ;; communications error to 162.140.15.200#53: timed out
>> > ;; communications error to 162.140.15.200#53: timed out
>> >
>> > ; <<>> DiG 9.18.11 <<>> ns3.gpo.gov +dnssec +norecurse @162.140.15.200
>> > ;; global options: +cmd
>> > ;; no servers could be reached
>> >
>> > but all other combos of ns3.gpo.gov or ns4.gpo.gov and 162.140.15.100
>> > and 162.140.15.200 work fine.
>> >
>> > On Tue, Mar 14, 2023 at 12:03 PM Tim Maestas <tmaestas95 at gmail.com>
>> wrote:
>> >>
>> >> I've been having problems resolving www.federalregister.gov which is
>> served by ns3.gpo.gov and ns4.gpo.gov, using BIND 9.16.27.  Haven't been
>> able to quite figure out why so I've stuck an NTA in for the time being.
>> >>
>> >> On Tue, Mar 14, 2023 at 8:52 AM Stephane Bortzmeyer <bortzmeyer at nic.fr>
>> wrote:
>> >>>
>> >>> On Tue, Mar 14, 2023 at 11:35:38AM -0400,
>> >>> Alexandra Yang <drayales at gmail.com> wrote
>> >>> a message of 183 lines which said:
>> >>>
>> >>>> I wonder if any of your nameserver resolve it just fine, like 8.8.8.8
>> >>>> works
>> >>>
>> >>> Among RIPE Atlas probes, most succeed:
>> >>>
>> >>> % blaeu-resolve --displayvalidation -r 100  --type A gpo.gov
>> >>> [ (Authentic Data flag)  162.140.14.82] : 46 occurrences
>> >>> [162.140.14.82] : 52 occurrences
>> >>> [ERROR: SERVFAIL] : 2 occurrences
>> >>> Test #50935448 done at 2023-03-14T15:46:50Z
>> >>>
>> >>> The two whose resolvers servfail may have stricter/paranoid resolvers.
>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW
>> <https://www.google.com/maps/search/1+Seymour+St.,+Dundas+Valley,+NSW?entry=gmail&source=g>
>> 2117, Australia
>> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230314/7256de94/attachment.htm>

More information about the bind-users mailing list