On Sun, Nov 22, 2020 at 9:35 AM Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> >On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez <ismael_sua...@coqui.com> > >wrote: > > >> Also, just for testing. Similar happened to me. Try with > >> ‘dnssec-validation no;’ > > On 22.11.20 09:05, upen wrote: > >Thank you Ismael, you are right . > >The resolution worked after setting ^^^ > > > >So to answer Julien also I believe +nodnsdec in the dig would have helped > >with resolution. > > > >So validation is not working it seems . What could be reason for that? Is > >something wrong on my configuration or network that the dnssec validation > >can not be used in my configuration. > > it's possible that your provider does DNS hijacking. > DNS over TLS or DNS over HTTPS could help verify that. Thank you Matus. So this is inside a university network and on a server . May be the network people do some dns interceptions . I did upload a link to packet capture which may shed some light on if they do indeed hijack. But from your reply it sounds like this behavior with auto is not expected and things should work for those domains so definitely something to check in my network , configuration end of things. Thank you Upen > > > > >I can set to auto again and run dig +trace if that will help > >troubleshooting further why validation may not be working. I’m unsure if > >this is expected or something could be wrong somewhere on my end /network > . > > >> From: bind-users <bind-users-boun...@lists.isc.org> on behalf of julien > >> soula <julien.so...@univ-lille.fr> > >> Sent: Sunday, November 22, 2020 9:31:56 AM > >> To: upen <upendra.gan...@gmail.com> > >> Cc: bind-users@lists.isc.org <bind-users@lists.isc.org>; BIND Users < > >> bind-us...@isc.org> > >> Subject: Re: Servfail on Bind -9.16.1 > >> > >> On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote: > >> > .../... > >> > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 > >> 127.0.0.1#33706 > >> > (www.facebook.com<http://www.facebook.com>): query failed (broken > trust > >> chain) for > >> > www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883 > >> > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME > :< > >> http://www.facebook.com/CNAME:> bad > >> > cache hit (com/DS) > >> > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain > resolving ' > >> > www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> > 129.134.31.12#53 > >> > >> it seems to be an error in dnssec. So I suppose that "dig +nodnssec > >> ...." works. > >> > >> May be "dig +trace facebook.com" will give you more hints. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > It's now safe to throw off your computer. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- upen, emerge -uD life (Upgrade Life with dependencies)
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
