Re: dig ds c10r.facebook.com returns SERVFAIL

2018-09-03 Thread Mark Andrews
> On 4 Sep 2018, at 8:40 am, Laurent Bigonville wrote: > > On 3/09/18 23:38, Tony Finch wrote: >>> On 3 Sep 2018, at 21:26, Laurent Bigonville wrote: >>> >>> The problem is that systemd-resolved (maybe other software are doing the >>> same?) is asking the DS record to check if the record is

Re: dig ds c10r.facebook.com returns SERVFAIL

2018-09-03 Thread Laurent Bigonville
On 3/09/18 23:38, Tony Finch wrote: On 3 Sep 2018, at 21:26, Laurent Bigonville wrote: The problem is that systemd-resolved (maybe other software are doing the same?) is asking the DS record to check if the record is supposed to be signed (well I think) before trying to do DNSSEC validation o

Re: dig ds c10r.facebook.com returns SERVFAIL

2018-09-03 Thread Tony Finch
> On 3 Sep 2018, at 21:26, Laurent Bigonville wrote: > > The problem is that systemd-resolved (maybe other software are doing the > same?) is asking the DS record to check if the record is supposed to be > signed (well I think) before trying to do DNSSEC validation of the client > side. I am

Re: dig ds c10r.facebook.com returns SERVFAIL

2018-09-03 Thread Laurent Bigonville
On 3/09/18 21:03, Tony Finch wrote: Laurent Bigonville wrote: With bind9 server (I can reproduce that on RHEL7 with 9.9.4, debian stable with 9.10.3 and also debian unstable with 9.11.4) when doing "dig ds c10r.facebook.com @10.122.17.186", I get a SERVFAIL. This is because the authoritative s

Re: dig ds c10r.facebook.com returns SERVFAIL

2018-09-03 Thread Tony Finch
Laurent Bigonville wrote: > > With bind9 server (I can reproduce that on RHEL7 with 9.9.4, debian stable > with 9.10.3 and also debian unstable with 9.11.4) when doing "dig ds > c10r.facebook.com @10.122.17.186", I get a SERVFAIL. This is because the authoritative servers for facebook.com do not

dig ds c10r.facebook.com returns SERVFAIL

2018-09-03 Thread Laurent Bigonville
Hello, With bind9 server (I can reproduce that on RHEL7 with 9.9.4, debian stable with 9.10.3 and also debian unstable with 9.11.4) when doing "dig ds c10r.facebook.com @10.122.17.186", I get a SERVFAIL. I'm getting this with either a bind acting as a forwarder or as a recursive server. In t

Re: Frequent timeout

2018-09-03 Thread Carl Byington
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sun, 2018-09-02 at 21:54 -0400, Alex wrote: > Do you have any other ideas on how I can isolate this problem? Run tcpdump on the external ethernet connection. tcpdump -s0 -vv -i %s -nn -w /tmp/outputfile udp dst port domain -BEGIN PGP SIGNA

Re: Set SOA serial to increment

2018-09-03 Thread Tony Finch
jason polachak via bind-users wrote: > I am trying to ensure when I look at the SOA records for the zone it > matches the serial number of the zone file. I have dnssec running but we > are not using dynamic updates. If you are using `auto-dnssec` then named is internally using dynamic updates, a