resolv.conf has only itself as dns server When using dnssec-validation AUTO, and turning on debug, the following is shown when I nslookup from my PC towards the server.
13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201: request is not signed 13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201: recursion available 13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201 (www.popularsba.com): query: www.popularsba.com IN A + (xxx.xxx.xxx.152) 13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201 (www.popularsba.com): query (cache) 'www.popularsba.com/A/IN' approved 13-Nov-2020 11:09:18.998 fetch: www.popularsba.com/A 13-Nov-2020 11:09:18.999 fetch: ha1.markmonitor.zone/A 13-Nov-2020 11:09:18.999 fetch: ha2.markmonitor.zone/A 13-Nov-2020 11:09:18.999 fetch: ha3.markmonitor.zone/A 13-Nov-2020 11:09:18.999 fetch: ha4.markmonitor.zone/A 13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201: request is not signed 13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201: recursion available 13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201 (www.popularsba.com): query: www.popularsba.com IN A + (xxx.xxx.xxx.152) 13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201 (www.popularsba.com): query (cache) 'www.popularsba.com/A/IN' approved 13-Nov-2020 11:09:24.000 fetch: www.popularsba.com/A 13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201 (www.popularsba.com): request failed: duplicate query 13-Nov-2020 11:09:27.051 fetch: popularsba.com/DS On my client I get: ** server can't find www.popularsba.com: SERVFAIL masked the IP just in case -----Original Message----- From: Petr Menšík <pemen...@redhat.com<mailto:petr%20%3d%3futf-8%3fq%3fmen%3dc5%3da1%3dc3%3dadk%3f%3d%20%3cpemen...@redhat.com%3e>> To: Ismael Suarez <ismael_sua...@coqui.com<mailto:ismael%20suarez%20%3cismael_sua...@coqui.com%3e>>, bind-users@lists.isc.org <bind-users@lists.isc.org<mailto:%22bind-us...@lists.isc.org%22%20%3cbind-us...@lists.isc.org%3e>> Subject: Re: Dnssec-validation auto Date: Fri, 13 Nov 2020 14:19:47 +0100 I would check what nameservers are in /etc/resolv.conf, and try to direct delv or dig to its address. for H in $(awk '$1 == "nameserver" { print $2 }' /etc/resolv.conf); do dig +dnssec @$H <http://www.popularsba.com> www.popularsba.com ; done Check every server returns reliable and the same results. I had one NOERROR and one SERVFAIL from our instrastructure. The second server provides more servers in ADDITIONAL section. Second retry was successful. It might take a bit more time to fetch and verify addresses of all authoritative servers of gslb.siteforce.com. domain. Six seems a lot. ; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> +dnssec @10.5.30.45 <http://www.popularsba.com> www.popularsba.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43145 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 13 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.popularsba.com. IN A ;; ANSWER SECTION: <http://www.popularsba.com> www.popularsba.com . 262 IN CNAME <http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com> www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com . <http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com> www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com . 262 IN CNAME 4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 82 IN A 13.109.220.200 ;; AUTHORITY SECTION: gslb.siteforce.com. 55886 IN NS dns05.salesforce.com. gslb.siteforce.com. 55886 IN NS dns01.salesforce.com. gslb.siteforce.com. 55886 IN NS dns02.salesforce.com. gslb.siteforce.com. 55886 IN NS dns04.salesforce.com. gslb.siteforce.com. 55886 IN NS dns06.salesforce.com. gslb.siteforce.com. 55886 IN NS dns03.salesforce.com. ;; ADDITIONAL SECTION: dns01.salesforce.com. 53547 IN A 204.74.108.235 dns02.salesforce.com. 53547 IN A 204.74.109.235 dns04.salesforce.com. 53547 IN A 199.7.69.235 dns03.salesforce.com. 53547 IN A 199.7.68.235 dns06.salesforce.com. 53547 IN A 204.74.115.235 dns05.salesforce.com. 53547 IN A 204.74.114.235 dns01.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251 20201001013506 2317 salesforce.com. fUb+1uVGcdeVSsjTj1O++bcNLZwapzTvLcHLP+tykm3y3ziCSIHtxfCp 3kZqdBQtB3nGd7ySGPEblvBJA4ZHUA== dns02.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251 20201001013506 2317 salesforce.com. QOVhwrJ0dwkHRHLr/ytEzmZ04bYaAzN2ooDfJOVJXDCinYGFuNTRmPhs uFawDGlRlFja8OyiIyJXIFvwXKGSxg== dns04.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251 20201001013506 2317 salesforce.com. DXOOYz5odrnY7SkWNvU0NiGOZEWalNT+0VYCYgd7wl6Rj0cOR4slFrvR ADj5eAgFLybADvTviia/xbqz4u7ueQ== dns03.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251 20201001013506 2317 salesforce.com. Rkzv/z9vhnURB8hueZgkQrKFffLB9Zj423ZPHoPXtoECxNVk/ZV/ODv4 BQZLT8+t8W7cLILNyXVVpEjG2ejE9Q== dns06.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201218220609 20201019213201 2317 salesforce.com. YcTDijezumyiv+WZcvZqFk/yOJ2r7WdxZ5XFwIjt5R6iDOSQNChxhQ3G dhR28sLna+rM9yVehyyEyCh4iJUeHg== dns05.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251 20201001013506 2317 salesforce.com. gmzIaK0lTolbkUaIGfHTLl2+TzUYQUtxHJ5yevEzdLmaE8z0AW7JBVXf 07osroe/7LxRQO38ZCxNZHVXfQnMHA== ;; Query time: 45 msec ;; SERVER: 10.5.30.45#53(10.5.30.45) ;; WHEN: Fri Nov 13 08:12:49 EST 2020 ;; MSG SIZE rcvd: 1076 It seems to me, only dns0?.salesforce.com. hosts are in DNSSEC signed domain. Try debuging salesforce.com. domain verification instead. On 11/13/20 1:59 PM, Ismael Suarez wrote: With "dnssec-validation AUTO;" I get: # delv +cd <http://www.popularsba.com> www.popularsba.com ;; resolution failed: timed out With "dnssec-validation NO;" I get: # delv +cd <http://www.popularsba.com> www.popularsba.com ;; resolution failed: timed out ; unsigned answer <http://www.popularsba.com> www.popularsba.com . 279 IN CNAME <http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com> www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com . CAPS just to show the difference in .conf -- Ismael Suárez Maldonado | UNIX ADM | Coqui.Net Corp / ClaroTV <mailto:ismael_sua...@coqui.com> ismael_sua...@coqui.com <mailto: <mailto:ismael_sua...@coqui.com> ismael_sua...@coqui.com > | T: 787-793-0001 x 4007 -----Original Message----- From: Petr Menšík < <mailto:pemen...@redhat.com> pemen...@redhat.com <mailto: <mailto:petr%20%3d%3futf-8%3fq%3fmen%3dc5%3da1%3dc3%3dadk%3f%3d%20%3cpemen...@redhat.com> petr%20%3d%3futf-8%3fq%3fmen%3dc5%3da1%3dc3%3dadk%3f%3d%20%3cpemen...@redhat.com %3e>> To: <mailto:bind-users@lists.isc.org> bind-users@lists.isc.org <mailto: <mailto:bind-users@lists.isc.org> bind-users@lists.isc.org > Subject: Re: Dnssec-validation auto Date: Fri, 13 Nov 2020 11:26:17 +0100 Hi Ismael, easiest way to check validation is using delv tool from BIND 9.11+. It uses the same algorithm as BIND server does. If you get SERVFAIL from your recursive server, try adding +cd parameter to delv or dig. When it works with +cd, validation is responsible somewhere in recursive servers chain. It shows just unsigned to me, today. $ delv +cd < <http://www.popularsba.com> http://www.popularsba.com > <http://www.popularsba.com> www.popularsba.com ; unsigned answer < <http://www.popularsba.com> http://www.popularsba.com > <http://www.popularsba.com> www.popularsba.com . 282 IN CNAME < <http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com> http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com > <http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com> www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com . < <http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com> http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com > <http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com> www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com . 282 IN CNAME 4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 102 IN A 161.71.31.253 Cheers, Petr On 11/13/20 5:26 AM, Ismael Suarez wrote: Hi all The following domain ( < <http://www.popularsba.com> http://www.popularsba.com > <http://www.popularsba.com> www.popularsba.com ) does not resolve with dnssec validation set to auto, but when I change the validation off it works. Why is this? How can I check this validation? Using bind 9.12 Thanks to all _______________________________________________ Please visit < <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users > <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at < <https://www.isc.org/contact/> https://www.isc.org/contact/ > <https://www.isc.org/contact/> https://www.isc.org/contact/ for more information. bind-users mailing list <mailto: <mailto:bind-users@lists.isc.org> bind-users@lists.isc.org > <mailto:bind-users@lists.isc.org> bind-users@lists.isc.org < <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users > <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit < <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users > <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at < <https://www.isc.org/contact/> https://www.isc.org/contact/ > <https://www.isc.org/contact/> https://www.isc.org/contact/ for more information. bind-users mailing list <mailto: <mailto:bind-users@lists.isc.org> bind-users@lists.isc.org > <mailto:bind-users@lists.isc.org> bind-users@lists.isc.org < <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users > <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users