Hi Mark, We noticed the problem because client can't resolve www.federalregister.gov, hosted by ns3.gpo.gov and ns4.gpo.gov. Our error is similar to the previous post, plus some errors with the gpo.gov nameserver.I just wonder if it's the config problem with our BIND 9.16.37 or problem with the gpo.gov nameserver ?
We have dnssec-validation yes, not sure what to do if there is problem with our config. Mar 13 18:02:18 ipam-dns-bl-5 named[2881]: client @0xaf1cb158 10.10.99.155#55940 (ns3.gpo.gov): query failed (broken trust chain) for ns3.gpo.gov/IN/A at /mnt/proj/package-7-3/nessy/bind-9.16/lib/ns/query.c:7449 Mar 14 10:23:32 ipam-dns-in-1 named[3713]: broken trust chain resolving 'ns3.gpo.gov/A/IN': 162.140.15.100#53 Mar 13 16:18:46 ipam-dns-bl-4 named[2928]: broken trust chain resolving ' www.federalregister.gov/AAAA/IN': 162.140.15.100#53 Thanks! On Tue, Mar 14, 2023 at 7:30 PM Mark Andrews <ma...@isc.org> wrote: > Why are you trying to query this address? The IPv4 servers are > 162.140.15.100 > and 162.140.254.200. > > > On 15 Mar 2023, at 07:53, Darren Ankney <darren.ank...@gmail.com> wrote: > > > > This is failing for me regularly: > > > > $ dig ns3.gpo.gov +dnssec +norecurse @162.140.15.200 > > ;; communications error to 162.140.15.200#53: timed out > > ;; communications error to 162.140.15.200#53: timed out > > ;; communications error to 162.140.15.200#53: timed out > > > > ; <<>> DiG 9.18.11 <<>> ns3.gpo.gov +dnssec +norecurse @162.140.15.200 > > ;; global options: +cmd > > ;; no servers could be reached > > > > but all other combos of ns3.gpo.gov or ns4.gpo.gov and 162.140.15.100 > > and 162.140.15.200 work fine. > > > > On Tue, Mar 14, 2023 at 12:03 PM Tim Maestas <tmaesta...@gmail.com> > wrote: > >> > >> I've been having problems resolving www.federalregister.gov which is > served by ns3.gpo.gov and ns4.gpo.gov, using BIND 9.16.27. Haven't been > able to quite figure out why so I've stuck an NTA in for the time being. > >> > >> On Tue, Mar 14, 2023 at 8:52 AM Stephane Bortzmeyer <bortzme...@nic.fr> > wrote: > >>> > >>> On Tue, Mar 14, 2023 at 11:35:38AM -0400, > >>> Alexandra Yang <draya...@gmail.com> wrote > >>> a message of 183 lines which said: > >>> > >>>> I wonder if any of your nameserver resolve it just fine, like 8.8.8.8 > >>>> works > >>> > >>> Among RIPE Atlas probes, most succeed: > >>> > >>> % blaeu-resolve --displayvalidation -r 100 --type A gpo.gov > >>> [ (Authentic Data flag) 162.140.14.82] : 46 occurrences > >>> [162.140.14.82] : 52 occurrences > >>> [ERROR: SERVFAIL] : 2 occurrences > >>> Test #50935448 done at 2023-03-14T15:46:50Z > >>> > >>> The two whose resolvers servfail may have stricter/paranoid resolvers. > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users