Hi Blason. "incometax.gov.in" is a domain known to cause problems. Take a binary packet capture and look at it in Wireshark. Also see this https://dnsviz.net/d/incometax.gov.in/dnssec/
A workaround in BIND is to disable DNSSEC validation for just that domain whilst leaving it on generally: see below. DNSSEC validation is on ("auto") by default these days. Please don't turn it off for everything. options { ... validate-except { incometax.gov.in; ... }; ... }; Hope this helps. Greg On Wed, 30 Aug 2023 at 14:20, Blason R <blaso...@gmail.com> wrote: > Hi all, > > I have bind BIND 9.18.17-1+ubuntu22.04.1+isc+1-Ubuntu (Extended Support > Version) > And I am facing this weird issue. Somehow eportal.incometax.gov.in site > is not getting resolved through DNS. > > I tried a lot but unfortunately the issue still persists. > > Here are packet capture logs. > > listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length > 262144 bytes > 18:47:19.569999 ens18 In IP 192.168.1.162.61110 > 192.168.1.133.53: 20+ > A? eportal.incometax.gov.in. (42) > 18:47:19.587705 ens18 Out IP 192.168.1.133.40263 > 208.67.222.222.53: > 30627+% [1au] A? eportal.incometax.gov.in. (65) > 18:47:19.599214 ens18 Out IP 192.168.1.133.44299 > 1.1.1.1.53: 62952+% > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:20.800736 ens18 Out IP 192.168.1.133.56154 > 8.8.8.8.53: 16152+% > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:21.573628 ens18 In IP 192.168.1.162.53536 > 192.168.1.133.53: 21+ > AAAA? eportal.incometax.gov.in. (42) > 18:47:21.576427 ens18 Out IP 192.168.1.133.55356 > 8.8.8.8.53: 57361+% > [1au] AAAA? eportal.incometax.gov.in. (65) > 18:47:22.002738 ens18 Out IP 192.168.1.133.33064 > 208.67.222.222.53: > 16204+% [1au] DNSKEY? incometax.gov.in. (57) > 18:47:22.777934 ens18 Out IP 192.168.1.133.58739 > 208.67.222.222.53: > 34205+% [1au] AAAA? eportal.incometax.gov.in. (65) > 18:47:23.203333 ens18 Out IP 192.168.1.133.60920 > 9.9.9.9.53: 46145+% > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:23.584820 ens18 In IP 192.168.1.162.53962 > 192.168.1.133.53: 22+ > A? eportal.incometax.gov.in. (42) > 18:47:24.405041 ens18 Out IP 192.168.1.133.56475 > 198.41.0.4.53: 12349 > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:25.205136 ens18 Out IP 192.168.1.133.33517 > 192.36.148.17.53: 18768 > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:25.237837 ens18 Out IP 192.168.1.133.43646 > 156.154.100.20.53: > 28883 [1au] DNSKEY? incometax.gov.in. (57) > 18:47:25.259888 ens18 Out IP 192.168.1.133.51762 > 59.160.103.171.53: > 46716 [1au] DNSKEY? incometax.gov.in. (57) > 18:47:25.597312 ens18 In IP 192.168.1.162.53963 > 192.168.1.133.53: 23+ > AAAA? eportal.incometax.gov.in. (42) > 18:47:26.498891 ens18 Out IP 192.168.1.133.52631 > 125.16.225.122.53: > 12762 [1au] DNSKEY? incometax.gov.in. (57) > > I feel this is something related to DNS RRKEY Record size? > > Plus then I dumbdb on my server and went through cache using command > *#rndc dumpdb -all* > > And here is the output > > incometax.gov.in. 3422 NS ns01.incometax.gov.in. > 3422 NS ns02.incometax.gov.in. > ns01.incometax.gov.in. 131 \-AAAA ;-$NXRRSET > ; ns01.incometax.gov.in. RRSIG NSEC ... > ; ns01.incometax.gov.in. NSEC ns02.incometax.gov.in. A RRSIG NSEC > ; incometax.gov.in. SOA ns01.incometax.gov.in. > ns-admin.cpc.incometax.gov.in. 2023060970 7200 3600 1209600 3600 > ; incometax.gov.in. RRSIG SOA ... > ns02.incometax.gov.in. 120 \-AAAA ;-$NXRRSET > ; ns02.incometax.gov.in. RRSIG NSEC ... > ; ns02.incometax.gov.in. NSEC ns03.incometax.gov.in. A RRSIG NSEC > ; incometax.gov.in. SOA ns02.incometax.gov.in. > ns-admin.cpc.incometax.gov.in. 2023071447 7200 3600 1209600 3600 > ; incometax.gov.in. RRSIG SOA ... > ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 130] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 119] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 124] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 113] [v4 unexpected] [v6 nxrrset] > > Any idea what could be an issue? > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users