Your using the wrong tools to troubleshoot or investigate this error. Instead of relying upon resolvers to provide situational awareness you need to inspect DNSSEC itself using dnsviz.net:
https://dnsviz.net/d/pms.psc.gov/dnssec/ psc.gov is giving the world ID 5089 when they need to handing out ID 180. Recommend the pms.psc.gov admins give the psc.gov admins the correct hash. Sent from Nine<http://www.9folders.com/> ________________________________ From: Roger Hammerstein <cheek...@gmx.com> Sent: Sunday, August 22, 2021 9:45 AM To: bind-users@lists.isc.org Subject: unresolvable pms.psc.gov, but google/cloudflare/unbound work pms.psc.gov appears to be unresolvable against bind9.16.19 and 9.11.34 because of dnssec issues. But it resolves against Cloudflare's 1.1.1.1, Google's 8.8.8.8, and an Unbound resolver that does dnssec-validation. There's a ticket open with nih.gov to look into it, but is there anything that can be changed with Bind to make this domain resolve in the meantime? (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678 https://dnsviz.net/d/pms.psc.gov/dnssec/ https://dnssec-analyzer.verisignlabs.com/pms.psc.gov dig a pms.psc.gov @8.8.8.8 pms.psc.gov. 2852 IN CNAME pms.ha.psc.gov. pms.ha.psc.gov. 29 IN A 156.40.178.24 dig a pms.psc.gov @8.8.8.8 +dnssec ;; ANSWER SECTION: pms.psc.gov. 2835 IN CNAME pms.ha.psc.gov. pms.psc.gov. 2835 IN RRSIG CNAME 8 3 3600 20210827000144 20210821230144 5089 psc.gov. kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc= pms.ha.psc.gov. 29 IN A 156.40.178.24 pms.ha.psc.gov. 29 IN RRSIG A 7 4 30 20210827185442 20210820185442 21380 ha.psc.gov. w2XUqBVoBMtLv0qfc5xmccrpv+w2ukwGfaGJvthIKHXr2SdlAk3oQxve xyolEaj2zWn8Uj7lOsaZD8mewBMQ3iEEp8U96aFBslWV/ffEKL+H9oMM sUNU5KwNi7/Nk3KZuNc8R3xxuYTsSVdbu6ai1lQ6fmw2uWAoDP9YIqek jyo/0WFSXM+hxw/5WguijhilSRIywNgG3/6MY3ZmunPPafGTCTXigyex IBACJQJ+meD6vMi0YoRM17mwdD+7Buq2cb6LJyVYaQImh7M2gF8My75n lDns4PWEIx4bSW2uQQEPpB7MA9VI9y5CuVCmqC3wMZ2ow6G8pkaf18wv r/ucSQ== I can sometimes get a servfail out of 8.8.8.8 with an any query dig any pms.psc.gov @8.8.8.8 +dnssec ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36332 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;pms.psc.gov. IN ANY ;; Query time: 5001 msec
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users