On 2/09/22 08:09, Bhangui, Sandeep - BLS CTR via bind-users wrote:
# nslookup _www.ssa.gov_ <http://www.ssa.gov>
;; Got SERVFAIL reply from 127.0.0.1, trying next server
Server: 198.6.1.1
Address: 198.6.1.1#53
Non-authoritative answer:
Hi Sandeep.
This looks like when you use nslookup it is using 127.0.0.1 as your DNS
server, but when you use dig it isn't. Do you have systemd on that
machine? If so, I suspect your requests using nslookup are going to the
systemd-resolved stub resolver?
FYI I know that there were issues with the stub resolver and DNSSEC
lookups, but I don't recall exactly what the issues were and so I'm not
sure if those limitations have been resolved by now?
If this is your situation, then you may want to consider disabling the
stub resolver? Have a look at "man resolved.conf" and in particular the
option you want to set is "DNSStubListener=no". The preferred way to do
this is to create a .conf file with this in
/etc/systemd/resolved.conf.d/ directory, e.g.:
$ cat /etc/systemd/resolved.conf.d/00-nick.conf
[Resolve]
FallbackDNS=192.168.20.195 192.168.20.196 192.168.20.197
DNSSEC=yes
DNSStubListener=no
After editing the configuration run "sudo systemctl restart
systemd-resolved".
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
