[dns-operations] Spurious (?) DNSSEC SERVFAIL with some (?) versions of BIND for one domain?

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Mar 10 14:32:40 UTC 2021


Some resolvers cannot resolve the DMARC record _dmarc.prv.se/TXT. They
reply SERVFAIL (the correct answer is NXDOMAIN). Running with checking
disabled solves the problem.

I see nothing that explains this problem. Zonemaster and DNSviz do not
see it either.

RIPE Atlas probes show that some probes' resolvers have the problem:

% blaeu-resolve -r 100 --displayvalidation  --type TXT _dmarc.prv.se
[ERROR: NXDOMAIN] : 86 occurrences
[ERROR: SERVFAIL] : 12 occurrences
Test #29281287 done at 2021-03-10T14:28:09Z

It seems limited to some (?) versions of BIND. All the other resolvers
I tested are fine. Here, with BIND:


; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> @192.168.1.1 TXT _dmarc.prv.se
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22448
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: a5d317b0ecd877372d40f20b6048d7eeb17f96fd42e1cd5b (good)
;; QUESTION SECTION:
;_dmarc.prv.se.		IN TXT

;; Query time: 36 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Mar 10 15:30:06 CET 2021
;; MSG SIZE  rcvd: 70




; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> +cd @192.168.1.1 TXT _dmarc.prv.se
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5521
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: a202795cfd0e59e942562a706048d7f38ae88ad6b4988c85 (good)
;; QUESTION SECTION:
;_dmarc.prv.se.		IN TXT

;; AUTHORITY SECTION:
prv.se.			3243 IN	SOA dns1.prv.se. postmaster. (
				2020111898 ; serial
				1200       ; refresh (20 minutes)
				600        ; retry (10 minutes)
				1209600    ; expire (2 weeks)
				3600       ; minimum (1 hour)
				)
prv.se.			3243 IN	RRSIG SOA 8 2 3600 (
				20210320003042 20210309233042 16321 prv.se.
				VwPp3euu60s7lEGw7uliB8Ktf9UeLEMufsLVoalKCZ8G
				i6Y5SL6u045fT2S//XpNwFZoFaJER1JtlOo5s97utv9k
				gi2PFNWQ6VtfcMpYLcuvwuQ0xdwBUWBnmit7n0diZRzB
				1KMSvzs7ur/+KBeGNcqqd4D2pjvxwYIHadDoQLY= )
9qbq9dd8lt1gvge9gdmb5m0o13iuqeqt.prv.se. 3243 IN RRSIG NSEC3 8 3 3600 (
				20210320003042 20210309233042 16321 prv.se.
				ESiImHBFB3n+cS/bm/5FFE4KiB1pZ3norVyytnXdd4pv
				LrtnJyhXcdgipneyozq2+0c1iwzaLUzLFKnC8yeIjvXB
				pB6JQwFXYNOQXjnZOB30nX/PU3hfrgGuODJrjargXkCl
				69sUaYMwK+uW2J3NAofjFOMizAK7by1bWCe9b3Q= )
9qbq9dd8lt1gvge9gdmb5m0o13iuqeqt.prv.se. 3243 IN NSEC3 1 0 50 33E9285AB62C0803 (
				9U28UGFJH153VH0IT0GU0CEDR2SQ93MA
				A NS SOA MX TXT DS RRSIG DNSKEY NSEC3PARAM )
hup1us667e5fsc26ltim32tpkio8r12b.prv.se. 3243 IN RRSIG NSEC3 8 3 3600 (
				20210320003042 20210309233042 16321 prv.se.
				N/aPN5MuDY04vnfAU2SG/1ISeEcIAnpd6F6ufX4uwMrx
				J/R/FP+fzp0mn3zuseu124aMFBzX8SG9rRDt1keVmCaH
				9rqooFuPZvbCr2WKmTi9OAWIzJSOzVcfimNnrNNU0J5C
				By7dkt0umlzoKt73S9M0dVdjkoSUwxsyt9kYtos= )
hup1us667e5fsc26ltim32tpkio8r12b.prv.se. 3243 IN NSEC3 1 0 50 33E9285AB62C0803 (
				J20QA6CUD21FG9V4A6P6IEFNOURK87JC
				CNAME RRSIG )
lh8nso9jvk3fcgelcakjp266mb0vctj5.prv.se. 3243 IN RRSIG NSEC3 8 3 3600 (
				20210320003042 20210309233042 16321 prv.se.
				D04hQjopnJoQJB3mPU+2fiECQcWdGDKpADFdbYF0SvYK
				B2WbMgOdHV3aOTSnkNnWX0QDTyarJ8JWpIQnq1wfaAbD
				n7AlF3eOWYWNolClRIchvY4dIBwBbYVHLRQ6f/Hul1ww
				D17xe6SmUOaLGyYNlLrXSuYHHRAeGY/XwZLNTlc= )
lh8nso9jvk3fcgelcakjp266mb0vctj5.prv.se. 3243 IN NSEC3 1 0 50 33E9285AB62C0803 (
				Q16A55QV24JJ8VKLC4U0DU1HGBA0QCM7
				A RRSIG )

;; Query time: 3 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Mar 10 15:30:11 CET 2021
;; MSG SIZE  rcvd: 1047




More information about the dns-operations mailing list