bind always returns SERVFAIL
(2013-04-16)
Problem
I have installed a bind instance from RPM and all it does is SERVFAIL.
Debug logging shows this:
16-Apr-2013 12:08:35.875 resolver: debug 1: createfetch: google.ca A
16-Apr-2013 12:08:35.876 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.876 resolver: debug 1: createfetch: ca DS
16-Apr-2013 12:08:35.876 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.876 lame-servers: info: error (no valid DS) resolving 'google.ca/A/IN': 192.168.1.101#53
16-Apr-2013 12:08:35.877 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.877 resolver: debug 1: createfetch: ca DS
16-Apr-2013 12:08:35.877 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.878 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.878 resolver: debug 1: createfetch: ca DS
16-Apr-2013 12:08:35.878 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.878 query-errors: debug 1: client 192.168.132.6#1244: query failed (SERVFAIL) for google.ca/IN/A at query.c:6560
Solution
The hint is that "DS" is a directory certificate or something.
Turn off DNSSEC.
options{
…
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
…
}
Alternatively, set up DNSSEC properly. This is apparently left as an exercise for the reader.