On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez <ismael_sua...@coqui.com> wrote:
Also, just for testing. Similar happened to me. Try with ‘dnssec-validation no;’
On 22.11.20 09:05, upen wrote:
Thank you Ismael, you are right . The resolution worked after setting ^^^ So to answer Julien also I believe +nodnsdec in the dig would have helped with resolution. So validation is not working it seems . What could be reason for that? Is something wrong on my configuration or network that the dnssec validation can not be used in my configuration.
it's possible that your provider does DNS hijacking. DNS over TLS or DNS over HTTPS could help verify that.
I can set to auto again and run dig +trace if that will help troubleshooting further why validation may not be working. I’m unsure if this is expected or something could be wrong somewhere on my end /network .
From: bind-users <bind-users-boun...@lists.isc.org> on behalf of julien soula <julien.so...@univ-lille.fr> Sent: Sunday, November 22, 2020 9:31:56 AM To: upen <upendra.gan...@gmail.com> Cc: bind-users@lists.isc.org <bind-users@lists.isc.org>; BIND Users < bind-us...@isc.org> Subject: Re: Servfail on Bind -9.16.1 On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote: > .../... > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 > (www.facebook.com<http://www.facebook.com>): query failed (broken trust chain) for > www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883 > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME:< http://www.facebook.com/CNAME:> bad > cache hit (com/DS) > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving ' > www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> 129.134.31.12#53 it seems to be an error in dnssec. So I suppose that "dig +nodnssec ...." works. May be "dig +trace facebook.com" will give you more hints.
-- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
