Hi Mark and everyone, Thank you for continuing to help me. I have set DNS validation to auto from no and restarted the bind9 service.
# egrep dnssec-validation /etc/bind/named.conf.options dnssec-validation auto; #dig +dnssec +cd dnskey . ; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec +cd dnskey . ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30138 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 4c28af06251e4b51010000005fbb1b1fa619c694e6bff1b4 (good) ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 172780 IN DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8= . 172780 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= . 172780 IN RRSIG DNSKEY 8 0 172800 20201211000000 20201120000000 20326 . eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw== ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Nov 22 20:14:55 CST 2020 ;; MSG SIZE rcvd: 893 The root zone is not forwarded and the file is located at #ls -al /usr/share/dns/root.hints* -rw-r--r-- 1 root root 3311 May 29 2019 /usr/share/dns/root.hints -rw-r--r-- 1 root root 72 May 29 2019 /usr/share/dns/root.hints.sig Contents of the root.hints file are pasted at https://dpaste.com/EWKCX34NQ . File is provided with OS package -> dns-root-data (Description: 2019052802 DNS root data including root zone and DNSSEC key) Additional files provided by that package #dpkg-query -L dns-root-data /. /usr /usr/share /usr/share/dns /usr/share/dns/root.ds /usr/share/dns/root.hints /usr/share/dns/root.hints.sig /usr/share/dns/root.key /usr/share/doc /usr/share/doc/dns-root-data /usr/share/doc/dns-root-data/changelog.gz /usr/share/doc/dns-root-data/copyright Not sure what changed here, I am getting results now even after the "dnssec-validation" set to auto. Really puzzled #dig @127.0.0.1 +dnssec +cd dnskey www.facebook.com ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 +dnssec +cd dnskey www.facebook.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19781 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 028fb4fde9f61d53010000005fbb1fcca2b3cd29887d7e13 (good) ;; QUESTION SECTION: ;www.facebook.com. IN DNSKEY ;; ANSWER SECTION: www.facebook.com. 2395 IN CNAME star-mini.c10r.facebook.com. ;; AUTHORITY SECTION: c10r.facebook.com. 216 IN SOA a.ns.c10r.facebook.com. dns.facebook.com. 1606098709 300 600 600 300 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Nov 22 20:34:52 CST 2020 ;; MSG SIZE rcvd: 176 Thank you, Upen On Sun, Nov 22, 2020 at 5:47 PM Mark Andrews <ma...@isc.org> wrote: > Ok. Lets start by debugging this from the trust anchor downwards. > Lets see what "dig +dnssec +cd dnskey .” returns. It should return > something like below with 2 DNSKEY records and a RRSIG for the DNSKEY. > The RRSIG is regenerated daily so it will likely differ. The DNSKEY > records should be a exact match. In this case flags contains ‘ad’ which > means that the RRset has previously been validated. > > [beetle:~/git/bind9] marka% dig +dnssec +cd dnskey . > ;; BADCOOKIE, retrying. > > ; <<>> DiG 9.15.4 <<>> +dnssec +cd dnskey . > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12403 > ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ; COOKIE: f182281b307ab59a010000005fbaf21fcdc7ab7803361e3c (good) > ;; QUESTION SECTION: > ;. IN DNSKEY > > ;; ANSWER SECTION: > . 134751 IN DNSKEY 257 3 8 > AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 > +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv > ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF > 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e > oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd > RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= > . 134751 IN DNSKEY 256 3 8 > AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfi > obeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5C > sDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdL > QHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm > 8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jE > hCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmn NHNmH2FjUE8= > . 134751 IN RRSIG DNSKEY 8 0 172800 > 20201211000000 20201120000000 20326 . > eD2ohirt98vCTbuBKIH8lmGum8g2zumyXA89A999extXqsWmomgVQhcb > l6zvJHLdFvhBmA+ZqhOTiXvdXpOPeyqHLuMiRv8TTawNU305WPnsonSx > uD5ThT9q7YXUZc9ty19Aur3AU0KtlNGULI+4ExrghEkdTNrysqgDWBO6 > zslPuJlzSwu/qZcPWYVjsWRnCtJ9DyCpgLnjSYIUzA0Xz+FWtj1jM0BK > Z9EyO+W5EaGkL2/u+bWWG07ZKJN0NwvTuq7Ounc+lz0zZDh83r/H4KRN > J4VIoY3qPDkW4ZvGdAFM5o8sZdTTWKbieqCqWccj8W6sHEdiZ91JCt/G 3/FVsw== > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Mon Nov 23 10:19:59 AEDT 2020 > ;; MSG SIZE rcvd: 893 > > [beetle:~/git/bind9] marka% > > If you don’t get answer like this then we need to work out why. > > Do you have a local copy of the root zone? If so is from IANA > or from somewhere else? > > Are you forwarding the root zone? If so what do ALL the forwarders > return for "dig +dnssec +cd dnskey . @<server>” where <server> is > replace by the IP address for each server. If you are forwarding is > is forward “first” or “only”? > > Mark > > > On 22 Nov 2020, at 08:20, upen <upendra.gan...@gmail.com> wrote: > > > > Hello Ananad, and all, > > > > >www.facebook.com > > $ dig @127.0.0.1 -t A www.facebook.com > > > > ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -t A www.facebook.com > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38917 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ; COOKIE: a18d9ed2a6d1bcd6010000005fb982763dfdafed174d4ef1 (good) > > ;; QUESTION SECTION: > > ;www.facebook.com. IN A > > > > ;; Query time: 4 msec > > ;; SERVER: 127.0.0.1#53(127.0.0.1) > > ;; WHEN: Sat Nov 21 15:11:18 CST 2020 > > ;; MSG SIZE rcvd: 73 > > > > > Your instance of BIND is probably logging to syslog. Look for these > logs > > > (usually /var/log/messages), and see what BIND is logging. It may shed > a > > > light on the problem. > > > > Thank you. I enabled logging and when I grep for www.facebook.com , I > notice the following output from four different log files named. > > > > debug.log:21-Nov-2020 15:11:18.004 queries: info: client @0x7fb6a800c0a0 > 127.0.0.1#33706 (www.facebook.com): query: www.facebook.com IN A +E(0)K > (127.0.0.1) > > default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0 > 127.0.0.1#33706 (www.facebook.com): query failed (broken trust chain) for > www.facebook.com/IN/A at query.c:6883 > > dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME: > bad cache hit (com/DS) > > lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving ' > www.facebook.com/A/IN': 129.134.31.12#53 > > > > > > Before running this query I also added dnssec-validation auto; to the > options file and restarted the bind9 service. It's pointing to a broken > trust chain which I am unsure how to resolve. > > > > Thanks, > > Upen > > > > > > On Sat, Nov 21, 2020 at 3:11 PM Anand Buddhdev <ana...@ripe.net> wrote: > > On 21/11/2020 21:53, upen wrote: > > > > Hi Upen, > > > > > Could you someone guide me to troubleshoot this further? Thank you for > the > > > list. > > > > Your instance of BIND is probably logging to syslog. Look for these logs > > (usually /var/log/messages), and see what BIND is logging. It may shed a > > light on the problem. > > > > Regards, > > Anand > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > > > > -- > > upen, > > emerge -uD life (Upgrade Life with dependencies) > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > -- upen, emerge -uD life (Upgrade Life with dependencies)
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users