Yes, bypassing DNSSEC Validation seems to have a solution. Thanks for the help.
On Wed, Aug 30, 2023 at 7:30 PM Bhangui, Sandeep - BLS CTR via bind-users < bind-users@lists.isc.org> wrote: > This seems to be an issue with the domain incometax.gov.in. > > > > DNSSEC looks like is broken for that domain. > > > > NS servers at our location also cannot resolve that directly but if I > forward that query to any ISP provider NS which are more lax it resolves > just fine. > > > > Thanks > > Sandeep > > > > *From:* bind-users <bind-users-boun...@lists.isc.org> *On Behalf Of *John > W. Blue via bind-users > *Sent:* Wednesday, August 30, 2023 9:39 AM > *To:* bind-users <bind-users@lists.isc.org> > *Subject:* RE: Facing issues while resolving only one record > > > > *CAUTION*: *This email originated from outside of BLS. DO NOT click > (select) links or open attachments unless you recognize the sender and know > the content is safe. Please report suspicious emails through the “Phish > Alert Report” button on your email toolbar. * > > Recommend you turn off DNSSEC validation and see if it starts working. > > > > If it does, then you know the issue is with how DNSSEC is configured on > your server. > > > > John > > > > *From:* bind-users [mailto:bind-users-boun...@lists.isc.org > <bind-users-boun...@lists.isc.org>] *On Behalf Of *Blason R > *Sent:* Wednesday, August 30, 2023 8:20 AM > *To:* bind-users > *Subject:* Facing issues while resolving only one record > > > > Hi all, > > > > I have bind BIND 9.18.17-1+ubuntu22.04.1+isc+1-Ubuntu (Extended Support > Version) > > And I am facing this weird issue. Somehow eportal.incometax.gov.in site > is not getting resolved through DNS. > > > > I tried a lot but unfortunately the issue still persists. > > > > Here are packet capture logs. > > > > listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length > 262144 bytes > 18:47:19.569999 ens18 In IP 192.168.1.162.61110 > 192.168.1.133.53: 20+ > A? eportal.incometax.gov.in. (42) > 18:47:19.587705 ens18 Out IP 192.168.1.133.40263 > 208.67.222.222.53: > 30627+% [1au] A? eportal.incometax.gov.in. (65) > 18:47:19.599214 ens18 Out IP 192.168.1.133.44299 > 1.1.1.1.53: 62952+% > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:20.800736 ens18 Out IP 192.168.1.133.56154 > 8.8.8.8.53: 16152+% > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:21.573628 ens18 In IP 192.168.1.162.53536 > 192.168.1.133.53: 21+ > AAAA? eportal.incometax.gov.in. (42) > 18:47:21.576427 ens18 Out IP 192.168.1.133.55356 > 8.8.8.8.53: 57361+% > [1au] AAAA? eportal.incometax.gov.in. (65) > 18:47:22.002738 ens18 Out IP 192.168.1.133.33064 > 208.67.222.222.53: > 16204+% [1au] DNSKEY? incometax.gov.in. (57) > 18:47:22.777934 ens18 Out IP 192.168.1.133.58739 > 208.67.222.222.53: > 34205+% [1au] AAAA? eportal.incometax.gov.in. (65) > 18:47:23.203333 ens18 Out IP 192.168.1.133.60920 > 9.9.9.9.53: 46145+% > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:23.584820 ens18 In IP 192.168.1.162.53962 > 192.168.1.133.53: 22+ > A? eportal.incometax.gov.in. (42) > 18:47:24.405041 ens18 Out IP 192.168.1.133.56475 > 198.41.0.4.53: 12349 > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:25.205136 ens18 Out IP 192.168.1.133.33517 > 192.36.148.17.53: 18768 > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:25.237837 ens18 Out IP 192.168.1.133.43646 > 156.154.100.20.53: > 28883 [1au] DNSKEY? incometax.gov.in. (57) > 18:47:25.259888 ens18 Out IP 192.168.1.133.51762 > 59.160.103.171.53: > 46716 [1au] DNSKEY? incometax.gov.in. (57) > 18:47:25.597312 ens18 In IP 192.168.1.162.53963 > 192.168.1.133.53: 23+ > AAAA? eportal.incometax.gov.in. (42) > 18:47:26.498891 ens18 Out IP 192.168.1.133.52631 > 125.16.225.122.53: > 12762 [1au] DNSKEY? incometax.gov.in. (57) > > > > I feel this is something related to DNS RRKEY Record size? > > > > Plus then I dumbdb on my server and went through cache using command > > *#rndc dumpdb -all* > > > > And here is the output > > > > incometax.gov.in. 3422 NS ns01.incometax.gov.in. > 3422 NS ns02.incometax.gov.in. > ns01.incometax.gov.in. 131 \-AAAA ;-$NXRRSET > ; ns01.incometax.gov.in. RRSIG NSEC ... > ; ns01.incometax.gov.in. NSEC ns02.incometax.gov.in. A RRSIG NSEC > ; incometax.gov.in. SOA ns01.incometax.gov.in. > ns-admin.cpc.incometax.gov.in. 2023060970 7200 3600 1209600 3600 > ; incometax.gov.in. RRSIG SOA ... > ns02.incometax.gov.in. 120 \-AAAA ;-$NXRRSET > ; ns02.incometax.gov.in. RRSIG NSEC ... > ; ns02.incometax.gov.in. NSEC ns03.incometax.gov.in. A RRSIG NSEC > ; incometax.gov.in. SOA ns02.incometax.gov.in. > ns-admin.cpc.incometax.gov.in. 2023071447 7200 3600 1209600 3600 > ; incometax.gov.in. RRSIG SOA ... > ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 130] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 119] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] > ; ns01.incometax.gov.in [v6 TTL 124] [v4 unexpected] [v6 nxrrset] > ; ns02.incometax.gov.in [v6 TTL 113] [v4 unexpected] [v6 nxrrset] > > > > Any idea what could be an issue? > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users