Ok. Lets start by debugging this from the trust anchor downwards. Lets see what "dig +dnssec +cd dnskey .” returns. It should return something like below with 2 DNSKEY records and a RRSIG for the DNSKEY. The RRSIG is regenerated daily so it will likely differ. The DNSKEY records should be a exact match. In this case flags contains ‘ad’ which means that the RRset has previously been validated.
[beetle:~/git/bind9] marka% dig +dnssec +cd dnskey . ;; BADCOOKIE, retrying. ; <<>> DiG 9.15.4 <<>> +dnssec +cd dnskey . ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12403 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: f182281b307ab59a010000005fbaf21fcdc7ab7803361e3c (good) ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 134751 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= . 134751 IN DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8= . 134751 IN RRSIG DNSKEY 8 0 172800 20201211000000 20201120000000 20326 . eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw== ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Nov 23 10:19:59 AEDT 2020 ;; MSG SIZE rcvd: 893 [beetle:~/git/bind9] marka% If you don’t get answer like this then we need to work out why. Do you have a local copy of the root zone? If so is from IANA or from somewhere else? Are you forwarding the root zone? If so what do ALL the forwarders return for "dig +dnssec +cd dnskey . @<server>” where <server> is replace by the IP address for each server. If you are forwarding is is forward “first” or “only”? Mark > On 22 Nov 2020, at 08:20, upen <upendra.gan...@gmail.com> wrote: > > Hello Ananad, and all, > > >www.facebook.com > $ dig @127.0.0.1 -t A www.facebook.com > > ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: a18d9ed2a6d1bcd6010000005fb982763dfdafed174d4ef1 (good) > ;; QUESTION SECTION: > ;www.facebook.com. IN A > > ;; Query time: 4 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Sat Nov 21 15:11:18 CST 2020 > ;; MSG SIZE rcvd: 73 > > > Your instance of BIND is probably logging to syslog. Look for these logs > > (usually /var/log/messages), and see what BIND is logging. It may shed a > > light on the problem. > > Thank you. I enabled logging and when I grep for www.facebook.com , I notice > the following output from four different log files named. > > debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0 > 127.0.0.1#33706 (www.facebook.com): query: www.facebook.com IN A +E(0)K > (127.0.0.1) > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 127.0.0.1#33706 > (www.facebook.com): query failed (broken trust chain) for > www.facebook.com/IN/A at query.c:6883 > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: bad > cache hit (com/DS) > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving > 'www.facebook.com/A/IN': 129.134.31.12#53 > > > Before running this query I also added dnssec-validation auto; to the options > file and restarted the bind9 service. It's pointing to a broken trust chain > which I am unsure how to resolve. > > Thanks, > Upen > > > On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev <ana...@ripe.net> wrote: > On 21/11/2020 21:53, upen wrote: > > Hi Upen, > > > Could you someone guide me to troubleshoot this further? Thank you for the > > list. > > Your instance of BIND is probably logging to syslog. Look for these logs > (usually /var/log/messages), and see what BIND is logging. It may shed a > light on the problem. > > Regards, > Anand > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > -- > upen, > emerge -uD life (Upgrade Life with dependencies) > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
