Skip to main content

bind always returns SERVFAIL

(2013-04-16)

Problem

I have installed a bind instance from RPM and all it does is SERVFAIL.

Debug logging shows this:

16-Apr-2013 12:08:35.875 resolver: debug 1: createfetch: google.ca A
16-Apr-2013 12:08:35.876 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.876 resolver: debug 1: createfetch: ca DS
16-Apr-2013 12:08:35.876 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.876 lame-servers: info: error (no valid DS) resolving 'google.ca/A/IN': 192.168.1.101#53
16-Apr-2013 12:08:35.877 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.877 resolver: debug 1: createfetch: ca DS
16-Apr-2013 12:08:35.877 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.878 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.878 resolver: debug 1: createfetch: ca DS
16-Apr-2013 12:08:35.878 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.878 query-errors: debug 1: client 192.168.132.6#1244: query failed (SERVFAIL) for google.ca/IN/A at query.c:6560

Solution

The hint is that "DS" is a directory certificate or something.

Turn off DNSSEC.

options{
…
        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside no;
…
}

Alternatively, set up DNSSEC properly. This is apparently left as an exercise for the reader.