[dns-operations] Spurious (?) DNSSEC SERVFAIL with some (?) versions of BIND for one domain?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Mar 10 14:32:40 UTC 2021
Some resolvers cannot resolve the DMARC record _dmarc.prv.se/TXT. They
reply SERVFAIL (the correct answer is NXDOMAIN). Running with checking
disabled solves the problem.
I see nothing that explains this problem. Zonemaster and DNSviz do not
see it either.
RIPE Atlas probes show that some probes' resolvers have the problem:
% blaeu-resolve -r 100 --displayvalidation --type TXT _dmarc.prv.se
[ERROR: NXDOMAIN] : 86 occurrences
[ERROR: SERVFAIL] : 12 occurrences
Test #29281287 done at 2021-03-10T14:28:09Z
It seems limited to some (?) versions of BIND. All the other resolvers
I tested are fine. Here, with BIND:
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> @192.168.1.1 TXT _dmarc.prv.se
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22448
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: a5d317b0ecd877372d40f20b6048d7eeb17f96fd42e1cd5b (good)
;; QUESTION SECTION:
;_dmarc.prv.se. IN TXT
;; Query time: 36 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Mar 10 15:30:06 CET 2021
;; MSG SIZE rcvd: 70
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> +cd @192.168.1.1 TXT _dmarc.prv.se
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5521
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: a202795cfd0e59e942562a706048d7f38ae88ad6b4988c85 (good)
;; QUESTION SECTION:
;_dmarc.prv.se. IN TXT
;; AUTHORITY SECTION:
prv.se. 3243 IN SOA dns1.prv.se. postmaster. (
2020111898 ; serial
1200 ; refresh (20 minutes)
600 ; retry (10 minutes)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
prv.se. 3243 IN RRSIG SOA 8 2 3600 (
20210320003042 20210309233042 16321 prv.se.
VwPp3euu60s7lEGw7uliB8Ktf9UeLEMufsLVoalKCZ8G
i6Y5SL6u045fT2S//XpNwFZoFaJER1JtlOo5s97utv9k
gi2PFNWQ6VtfcMpYLcuvwuQ0xdwBUWBnmit7n0diZRzB
1KMSvzs7ur/+KBeGNcqqd4D2pjvxwYIHadDoQLY= )
9qbq9dd8lt1gvge9gdmb5m0o13iuqeqt.prv.se. 3243 IN RRSIG NSEC3 8 3 3600 (
20210320003042 20210309233042 16321 prv.se.
ESiImHBFB3n+cS/bm/5FFE4KiB1pZ3norVyytnXdd4pv
LrtnJyhXcdgipneyozq2+0c1iwzaLUzLFKnC8yeIjvXB
pB6JQwFXYNOQXjnZOB30nX/PU3hfrgGuODJrjargXkCl
69sUaYMwK+uW2J3NAofjFOMizAK7by1bWCe9b3Q= )
9qbq9dd8lt1gvge9gdmb5m0o13iuqeqt.prv.se. 3243 IN NSEC3 1 0 50 33E9285AB62C0803 (
9U28UGFJH153VH0IT0GU0CEDR2SQ93MA
A NS SOA MX TXT DS RRSIG DNSKEY NSEC3PARAM )
hup1us667e5fsc26ltim32tpkio8r12b.prv.se. 3243 IN RRSIG NSEC3 8 3 3600 (
20210320003042 20210309233042 16321 prv.se.
N/aPN5MuDY04vnfAU2SG/1ISeEcIAnpd6F6ufX4uwMrx
J/R/FP+fzp0mn3zuseu124aMFBzX8SG9rRDt1keVmCaH
9rqooFuPZvbCr2WKmTi9OAWIzJSOzVcfimNnrNNU0J5C
By7dkt0umlzoKt73S9M0dVdjkoSUwxsyt9kYtos= )
hup1us667e5fsc26ltim32tpkio8r12b.prv.se. 3243 IN NSEC3 1 0 50 33E9285AB62C0803 (
J20QA6CUD21FG9V4A6P6IEFNOURK87JC
CNAME RRSIG )
lh8nso9jvk3fcgelcakjp266mb0vctj5.prv.se. 3243 IN RRSIG NSEC3 8 3 3600 (
20210320003042 20210309233042 16321 prv.se.
D04hQjopnJoQJB3mPU+2fiECQcWdGDKpADFdbYF0SvYK
B2WbMgOdHV3aOTSnkNnWX0QDTyarJ8JWpIQnq1wfaAbD
n7AlF3eOWYWNolClRIchvY4dIBwBbYVHLRQ6f/Hul1ww
D17xe6SmUOaLGyYNlLrXSuYHHRAeGY/XwZLNTlc= )
lh8nso9jvk3fcgelcakjp266mb0vctj5.prv.se. 3243 IN NSEC3 1 0 50 33E9285AB62C0803 (
Q16A55QV24JJ8VKLC4U0DU1HGBA0QCM7
A RRSIG )
;; Query time: 3 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Mar 10 15:30:11 CET 2021
;; MSG SIZE rcvd: 1047
More information about the dns-operations
mailing list