Actually, I can answer that myself: https://dnsviz.net/d/www.dumbingofage.com/dnssec/
They are not. So what happens is that on initial query, the NS from parents are used to bootstrap and then named caches the child NSs and those are broken. Not BIND 9’s fault. Ondrej -- Ondřej Surý (He/Him) > On 9. 11. 2023, at 10:54, Ondřej Surý <ond...@sury.org> wrote: > > Hey, > > are the NS sets in parent and child in sync? > > Ondrej > -- > Ondřej Surý (He/Him) > >> On 9. 11. 2023, at 10:30, Matthew Vernon <matt...@debian.org> wrote: >> >> Package: bind9 >> Version: 1:9.18.19-1~deb12u1 >> Severity: normal >> >> Hi, >> >> This is a weird one, but it's been happening daily for a few days now, >> so I figured it was worth reporting. >> >> For the last few days, if I try and visit >> https://www.dumbingofage.com/ >> >> Firefox can't resolve the hostname, similarly on the CLI: >> matthew@aragorn:~$ host www.dumbingofage.com >> Host www.dumbingofage.com not found: 2(SERVFAIL) >> >> AFAICT the NSs work - I can do both >> dig @23.226.68.75 www.dumbingofage.com >> and >> dig @23.226.68.76 www.dumbingofage.com >> >> And get a sensible answer back. >> >> If I restart bind9 then I am able to resolve the hostname fine, only for >> the same problem to recur the following day. >> >> So _something_ is getting confused, and I'm pretty sure it's bind :) >> >> Regards, >> >> Matthew >> >> -- System Information: >> Debian Release: 12.2 >> APT prefers stable-updates >> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, >> 'stable') >> Architecture: amd64 (x86_64) >> >> Kernel: Linux 6.1.0-13-amd64 (SMP w/8 CPU threads; PREEMPT) >> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), >> LANGUAGE=en_GB:en >> Shell: /bin/sh linked to /usr/bin/dash >> Init: sysvinit (via /sbin/init) >> LSM: AppArmor: enabled >> >> Versions of packages bind9 depends on: >> ii adduser 3.134 >> ii bind9-libs 1:9.18.19-1~deb12u1 >> ii bind9-utils 1:9.18.19-1~deb12u1 >> ii debconf [debconf-2.0] 1.5.82 >> ii dns-root-data 2023010101 >> ii init-system-helpers 1.65.2 >> ii iproute2 6.1.0-3 >> ii libc6 2.36-9+deb12u3 >> ii libcap2 1:2.66-4 >> ii libelogind0 [libsystemd0] 246.10-1debian1 >> ii libfstrm0 0.6.1-1 >> ii libjson-c5 0.16-2 >> ii liblmdb0 0.9.24-1 >> ii libmaxminddb0 1.7.1-1 >> ii libnghttp2-14 1.52.0-1 >> ii libprotobuf-c1 1.4.1-1+b1 >> ii libssl3 3.0.11-1~deb12u2 >> ii libuv1 1.44.2-1 >> ii libxml2 2.9.14+dfsg-1.3~deb12u1 >> ii lsb-base 11.6 >> ii netbase 6.4 >> ii sysvinit-utils [lsb-base] 3.06-4 >> ii zlib1g 1:1.2.13.dfsg-1 >> >> bind9 recommends no packages. >> >> Versions of packages bind9 suggests: >> pn bind-doc <none> >> ii bind9-dnsutils [dnsutils] 1:9.18.19-1~deb12u1 >> ii dnsutils 1:9.18.19-1~deb12u1 >> pn resolvconf <none> >> pn ufw <none> >> >> -- Configuration Files: >> /etc/bind/db.127 changed: >> ; >> ; BIND reverse data file for local loopback interface >> ; >> $TTL 604800 >> @ IN SOA ns.empire.pick.ucam.org. hostmaster.pick.ucam.org. ( >> 3 ; Serial >> 604800 ; Refresh >> 86400 ; Retry >> 2419200 ; Expire >> 604800 ) ; Negative Cache TTL >> ; >> @ IN NS localhost. >> 1.0.0 IN PTR localhost. >> >> /etc/bind/named.conf changed: >> // This is the primary configuration file for the BIND DNS server named. >> // >> // Please read /usr/share/doc/bind/README.Debian for information on the >> // structure of BIND configuration files in Debian for BIND versions 8.2.1 >> // and later, *BEFORE* you customize this configuration file. >> // >> options { >> directory "/var/cache/bind"; >> check-names master warn; >> // If there is a firewall between you and nameservers you want >> // to talk to, you might need to uncomment the query-source >> // directive below. Previous versions of BIND always asked >> // questions using port 53, but BIND 8.1 and later use an unprivileged >> // port by default. >> // query-source address * port 53; >> // If your ISP provided one or more IP addresses for stable >> // nameservers, you probably want to use them as forwarders. >> // Uncomment the following block, and insert the addresses replacing >> // the all-0's placeholder. >> //can't use this, since it would break the reverse zones we secondary >> //forwarders { >> //212.23.8.1; 212.23.8.6; >> //}; >> }; >> // reduce log verbosity on issues outside our control >> logging { >> category lame-servers { null; }; >> // category cname { null; }; >> }; >> // prime the server with knowledge of the root servers >> zone "." { >> type hint; >> file "/etc/bind/db.root"; >> }; >> // be authoritative for the localhost forward and reverse zones, and for >> // broadcast zones as per RFC 1912 >> zone "localhost" { >> type master; >> file "/etc/bind/db.local"; >> }; >> zone "127.in-addr.arpa" { >> type master; >> file "/etc/bind/db.127"; >> }; >> zone "0.in-addr.arpa" { >> type master; >> file "/etc/bind/db.0"; >> }; >> zone "255.in-addr.arpa" { >> type master; >> file "/etc/bind/db.255"; >> }; >> // add entries for other zones below here >> zone "empire.pick.ucam.org" { >> type master; >> file "/etc/bind/db.empire"; >> }; >> zone "22.16.172.in-addr.arpa" { >> type master; >> file "/etc/bind/db.172.16.22"; >> }; >> zone "23.16.172.in-addr.arpa" { >> type master; >> file "/etc/bind/db.172.16.23"; >> }; >> // real IP address for the house network with A&A >> //zone "160-167.100.2.81.in-addr.arpa" { >> // type master; >> // file "/etc/bind/db.81.2.100.160-167"; >> //}; >> // WAN IP address for the ADSL router with A&A >> //zone "225.93.2.81.in-addr.arpa" { >> // type master; >> // file "/etc/bind/db.81.2.93.225"; >> //}; >> zone "easel.vpn.ucam.org" { >> type master; >> file "/etc/bind/db.easel"; >> }; >> zone "principate.org" { type slave; masters { 212.13.197.229; 93.93.128.67; >> 45.33.127.156; }; file "slave/principate.org"; }; >> zone "principate.org.uk" {type slave; masters { 212.13.197.229; >> 93.93.128.67; 45.33.127.156; }; file "slave/principate.org.uk"; }; >> zone "168.192.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/168.192.in-addr.arpa"; }; >> zone "16.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/16.172.in-addr.arpa"; }; >> zone "17.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/17.172.in-addr.arpa"; }; >> zone "18.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/18.172.in-addr.arpa"; }; >> zone "19.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/19.172.in-addr.arpa"; }; >> zone "20.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/20.172.in-addr.arpa"; }; >> zone "21.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/21.172.in-addr.arpa"; }; >> zone "22.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/22.172.in-addr.arpa"; }; >> zone "23.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/23.172.in-addr.arpa"; }; >> zone "24.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/24.172.in-addr.arpa"; }; >> zone "25.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/25.172.in-addr.arpa"; }; >> zone "26.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/26.172.in-addr.arpa"; }; >> zone "27.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/27.172.in-addr.arpa"; }; >> zone "28.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/28.172.in-addr.arpa"; }; >> zone "29.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/29.172.in-addr.arpa"; }; >> zone "30.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/30.172.in-addr.arpa"; }; >> zone "31.172.in-addr.arpa" { type slave; masters { 172.31.80.8; }; file >> "slave/31.172.in-addr.arpa"; }; >> //zone "cam.ac.uk" {type slave; masters { 131.111.8.37; 131.111.12.37; }; >> file "slave/cam.ac.uk"; }; >> zone "ucam.org" {type slave; masters { 212.13.197.229; }; file >> "slave/ucam.org"; }; >> //zone "greenend.empire.pick.ucam.org" {type slave; masters { 192.168.73.1; >> }; file "slave/greenend.empire.pick.ucam.org"; }; >> >> >> -- debconf information: >> bind9/start-as-user: bind >> bind9/different-configuration-file: >> bind9/run-resolvconf: true >>
