Perhaps if dnssecnsec3qatestdomain.com existed we would be able to tell you. As it is there is not enough information here to workout what is broken.
In message <aanlktik4qlwtydstmwxm-hse8yx88h6tfkpx4cxy8...@mail.gmail.com>, rams writes: > > I have trouble resolving the host name dnssecnsec3qatestdomain.com. which is > NSEC3 signed. This is the parent and child zone. If I run dig ( dnssec > query) with the +cd option I which is a proper response: > > > > [r...@stulcqanusbind1 ~]# dig dnssecnsec3qatestdomain.com. any +dnssec *+cd > * > > > > ; <<>> DiG 9.7.1-P2 <<>> dnssecnsec3qatestdomain.com. any +dnssec +cd > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1601 > > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 8, AUTHORITY: 3, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags: do; udp: 4096 > > ;; QUESTION SECTION: > > ;dnssecnsec3qatestdomain.com. IN ANY > > > > ;; ANSWER SECTION: > > dnssecnsec3qatestdomain.com. 86396 IN RRSIG A 7 2 86400 20200831000000 > 20100831205954 61559 dnssecnsec3qatestdomain.com. > A4HqcGYSyEoM7Y75MoRaK4zzNiuL45tq+AnfUIrxxEIPkIOI12FmFyhY > JOQN216QkTbYkJBlNwe2Ky1SRGjwhQ== > > dnssecnsec3qatestdomain.com. 86396 IN A 12.12.1.0 > > dnssecnsec3qatestdomain.com. 86396 IN A 255.12.1.0 > > dnssecnsec3qatestdomain.com. 86396 IN RRSIG SOA 7 2 86400 20200831000000 > 20100831205954 61559 dnssecnsec3qatestdomain.com. > eAV/LHcB3WLA9ULvsz/kcVJ63XeJCX/YAOu9ZFUM+SVDIW/BAUXNfq9O > iNBuukgDBlFZFOQyblfgjpcSW3CQMw== > > dnssecnsec3qatestdomain.com. 86396 IN SOA udns1.ultradns.net. > bitbuck...@qa.neustar.com. 2009111903 10800 3600 2592000 86400 > > dnssecnsec3qatestdomain.com. 86396 IN RRSIG NS 7 2 86400 20200831000000 > 20100831205954 61559 dnssecnsec3qatestdomain.com. > r11osNc3HFoVFWjC1iNN9Yv3IKGvApbZwkNLdK5HTlPt+3UDB2Do7RvT > 9SSJaZYLj4PEC8Gp6lT1L+0LlsEP9w== > > dnssecnsec3qatestdomain.com. 86396 IN NS udns2.ultradns.net. > > dnssecnsec3qatestdomain.com. 86396 IN NS udns1.ultradns.net. > > > > ;; AUTHORITY SECTION: > > dnssecnsec3qatestdomain.com. 86396 IN NS udns2.ultradns.net. > > dnssecnsec3qatestdomain.com. 86396 IN NS udns1.ultradns.net. > > dnssecnsec3qatestdomain.com. 86396 IN RRSIG NS 7 2 86400 20200831000000 > 20100831205954 61559 dnssecnsec3qatestdomain.com. > r11osNc3HFoVFWjC1iNN9Yv3IKGvApbZwkNLdK5HTlPt+3UDB2Do7RvT > 9SSJaZYLj4PEC8Gp6lT1L+0LlsEP9w== > > > > > > But dig (dnssec query)without +cd option returns servfail. > > > > > > [r...@stulcqanusbind1 ~]# dig dnssecnsec3qatestdomain.com. any +dnssec > > > > ; <<>> DiG 9.7.1-P2 <<>> @ dnssecnsec3qatestdomain.com. any +dnssec > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7437 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags: do; udp: 4096 > > ;; QUESTION SECTION: > > ;dnssecnsec3qatestdomain.com. IN ANY > > > > > > In my logs I am getting messages: > > > > Jan 7 13:17:55 named[17154]: error (no valid RRSIG) resolving ' > dnssecnsec3qatestdomain.com/DNSKEY/IN': 10.31.142.103#53 > > Jan 7 13:17:55 named[17154]: error (broken trust chain) resolving ' > dnssecnsec3qatestdomain.com/ANY/IN': 10.31.142.103#53 > > > > When doing query without +cd option. > > > > Can you figure out what would be the exact problem? > > > Thanks & Regards, > > Ramesh > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users