The posix boxes are validating the responses and your zone is not properly delegated/signed so DNSSEC validation fails.
What does the following return? dig +cd +dnssec mail.jungersen.dk The answer on the internet is signed. -- Mark Andrews > On 19 Feb 2025, at 21:21, Danjel Jungersen via bind-users > <bind-users@lists.isc.org> wrote: > > On 19-02-2025 11:11, Marco Moock wrote: >> Am Wed, 19 Feb 2025 10:58:14 +0100 >> schrieb Danjel Jungersen via bind-users <bind-users@lists.isc.org>: >> >>> But if I change /etc/resolv.conf to 127.0.0.1 something happens >>> If I do a dig or ping from my postfixbox to something that the 2 main >>> bind-boxes are authoratative for, it doesn't work. >> Please sniff the DNS traffic between the 2 machines and check if the >> request goes out to the authoritative server and check what it replied. >> >> You can trigger the request by >> >> dig A/AAAA non-working domain @IP. >> >> Try +recurse/+norecurse to check if the issue is related to those flags. > root@mail:~# dig A mail.jungersen.dk @127.0.0.1 > > ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> A mail.jungersen.dk @127.0.0.1 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9792 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: d55e55f5d6573eaf0100000067b5af13a2e4bdccbb3ce36b (good) > ;; QUESTION SECTION: > ;mail.jungersen.dk. IN A > > ;; Query time: 4 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) > ;; WHEN: Wed Feb 19 11:14:43 CET 2025 > ;; MSG SIZE rcvd: 74 > > > dig +recurse A mail.jungersen.dk @127.0.0.1 > > ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +recurse A mail.jungersen.dk > @127.0.0.1 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19526 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: 1579e49c3774139b0100000067b5af24e95ccd20f610d99d (good) > ;; QUESTION SECTION: > ;mail.jungersen.dk. IN A > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) > ;; WHEN: Wed Feb 19 11:15:00 CET 2025 > ;; MSG SIZE rcvd: 74 > > > dig +norecurse A mail.jungersen.dk @127.0.0.1 > > ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +norecurse A mail.jungersen.dk > @127.0.0.1 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10118 > ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: 689869318da8e64c0100000067b5af33f48840b2e116d76e (good) > ;; QUESTION SECTION: > ;mail.jungersen.dk. IN A > > ;; AUTHORITY SECTION: > . 3600000 IN NS E.ROOT-SERVERS.NET. > . 3600000 IN NS F.ROOT-SERVERS.NET. > . 3600000 IN NS L.ROOT-SERVERS.NET. > . 3600000 IN NS C.ROOT-SERVERS.NET. > . 3600000 IN NS B.ROOT-SERVERS.NET. > . 3600000 IN NS A.ROOT-SERVERS.NET. > . 3600000 IN NS J.ROOT-SERVERS.NET. > . 3600000 IN NS D.ROOT-SERVERS.NET. > . 3600000 IN NS H.ROOT-SERVERS.NET. > . 3600000 IN NS G.ROOT-SERVERS.NET. > . 3600000 IN NS I.ROOT-SERVERS.NET. > . 3600000 IN NS K.ROOT-SERVERS.NET. > . 3600000 IN NS M.ROOT-SERVERS.NET. > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) > ;; WHEN: Wed Feb 19 11:15:15 CET 2025 > ;; MSG SIZE rcvd: 297 > > > Not sure how to do the sniff part(?) > > But I must get some sort of answer... > dig A postfix.org @127.0.0.1 > > ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> A postfix.org @127.0.0.1 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2255 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: 6c3f5cf7e1e34e450100000067b5b035b878201ed4e8d3fd (good) > ;; QUESTION SECTION: > ;postfix.org. IN A > > ;; ANSWER SECTION: > postfix.org. 3600 IN A 65.108.3.114 > > ;; Query time: 852 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) > ;; WHEN: Wed Feb 19 11:19:33 CET 2025 > ;; MSG SIZE rcvd: 84 > > Best regards > Danjel > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
