On 4/29/20 2:30 PM, Tiemen Ruiten wrote: > Hello Petr, > > Thank you for the pointers. Even without DNSSEC validation, the query > doesn't return the A-record. Delv also returns SERVFAIL. What I do see at > DNSViz > <https://dnsviz.net/d/download.wisselkoersenvoorjeadministratie.nl/dnssec/>, > is "NSEC3 proving non-existence of > download.wisselkoersenvoorjeadministratie". That doesn't look normal, if I > compare it with mijn.ing.nl (hostname of a major bank in NL) there is no > such output. I'll try to contact the domain administrators and get them to > fix it > > I tried to set the NTA, but it also didn't make a difference. Is there any > other way I could semi-permanently (until the domain administrators fix it) > work around this error?
I don't know what the issue is. I am sorry, do not know how can I help. I tried this command: for NS in $(dig +short ns wisselkoersenvoorjeadministratie.nl); do dig +dnssec +short download.wisselkoersenvoorjeadministratie.nl @$NS; done 185.87.187.229 A 8 2 3600 20200507000000 20200416000000 27409 wisselkoersenvoorjeadministratie.nl. Kg7KcdhcilEWlDrSFNf87n0TYXK7Os8rKFcQOcOcR/5Sppn3Gp6H/63S Htw62Qcy4lhkV+cM8xBZHFVhsLoXeOfaVAU7kcn9W0vNoB+lLC+V/qAm JDPl/7a8n5mJMoiRRR2VcX4EFNYEyrsMWa0XFW7ukVmCqDCWnX8n/8kR Irk= A 8 2 3600 20200507000000 20200416000000 27409 wisselkoersenvoorjeadministratie.nl. Kg7KcdhcilEWlDrSFNf87n0TYXK7Os8rKFcQOcOcR/5Sppn3Gp6H/63S Htw62Qcy4lhkV+cM8xBZHFVhsLoXeOfaVAU7kcn9W0vNoB+lLC+V/qAm JDPl/7a8n5mJMoiRRR2VcX4EFNYEyrsMWa0XFW7ukVmCqDCWnX8n/8kR Irk= 185.87.187.229 185.87.187.229 A 8 2 3600 20200507000000 20200416000000 27409 wisselkoersenvoorjeadministratie.nl. Kg7KcdhcilEWlDrSFNf87n0TYXK7Os8rKFcQOcOcR/5Sppn3Gp6H/63S Htw62Qcy4lhkV+cM8xBZHFVhsLoXeOfaVAU7kcn9W0vNoB+lLC+V/qAm JDPl/7a8n5mJMoiRRR2VcX4EFNYEyrsMWa0XFW7ukVmCqDCWnX8n/8kR Irk= It looks ok on the first glance. I could not find anything similar to dnsviz.net in responses. Would it be possible just some geolocation nodes are broken and others work? delv works fine on that name to me. I do not have IPv6 connectivity, if that changes anything. I have never seen such diagram for a name on dnsviz. I think there is definitely something wrong with their server, maybe not only wrong signatures. It should be in your named-pkcs11 logs when rndc trace was increased to 5 at least. Checking what their servers responded would be most important. It seems I see different result than dnsviz.net. Checking from different regions might help, is possible. > > On Wed, Apr 29, 2020 at 11:52 AM Petr Menšík via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Hi Tiemen, >> >> it might help you to use dig and delv to debug dns related issues. >> SERVFAIL is quite often some issue in DNSSEC validation. To ensure >> validation is reponsible, try just: >> >> dig +cd download.wisselkoersenvoorjeadministratie.nl >> >> It it succeeds, validation is responsible. Quite good tool to discover >> what is wrong in that is delv. Use +vtrace to get details. If your server >> provides recursive service, try targetting it with @127.0.0.1. >> >> delv +cd +vtrace @127.0.0.1 >> download.wisselkoersenvoorjeadministratie.nl >> >> If it tells you fully validated, it is ok. Try removing +cd. When it still >> validates, bind should get the same results. Only cached records may >> produce different results. >> >> Try flushing cache under that domain: >> >> rndc flushtree wisselkoersenvoorjeadministratie.nl >> >> In case owner of that domain fixed the signature, it might help. If this >> did not help and you are quite sure this is uninteded error, temporary >> validation exception could be set. Before you do it, you should be >> confident noone tried to push you wrong answer into your cache. Usually, it >> should be error on domain server's that its operator had not yet fixed. >> >> rndc nta wisselkoersenvoorjeadministratie.nl >> >> Note NTA is time limited for a reason. Correct is fixing it on >> authoritative servers and flushing just cached tree. Check man rndc for >> details. >> >> named-pkcs11 trace logs would get you similar messages to delv. But I find >> delv easier to use if possible. >> >> Validation of www.regenboog-lelystad.nl. failed few minutes ago to me, >> but seems to be fixed now. >> >> Regards, >> Petr >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> > > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
