> My go-to DNS debugging site at > > https://dnsviz.net/d/s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es/dnssec/ > > > appears to indicte there is more than one problem, but the most > serious one is probably this one: > > It might look like one or more of the publishing name servers responds > incorrectly when queried for an "empty non-terminal" name > (e.g. _domainkey...), which probably itself doesn't have any data on > that node, but has data on "names below". The correct response code > is then NOERROR with answer count=0 (aka. "NODATA"), not NXDOMAIN. > > When a recursor gets NXDOMAIN back, it is free to assume that the > queried-for name does not exist (which is obvious), and nothing exists > below that node either. See RFC 8020. > > Regards, > > - Håvard
Håvard, w hat you say is correct about the NXDOMAIN RCODE . However, Thomas's logs and dig output suggest that the failure is a timeout, possibly because BIND/named is not responding. So I don't think that DNSViz error matches the problem description. Having said that, one or more problems with the relevant zones could be triggering something in BIND... Thomas, can you clarify whether all queries to 127.0.0.1/53 result in: ;; communications error to 127.0.0.1#53: timed out when this problem occurs, or do just queries for s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es fail (or some level of failure in between all queries and the ones for that one domain)? And at that time, can you successfully query from the same system using a public resolver (e.g. "dig @9.9.9.9 s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es TXT")? And do you have BIND's logging for the queries that fail? Thanks, b. Michael Batchelder ISC Support
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
