For When You Can't Have The Real Thing
[ start | index | login ]
start > CentOS > 6 > bind always returns SERVFAIL

bind always returns SERVFAIL

Created by dave. Last edited by dave, 5 years and 238 days ago. Viewed 3,329 times. #1
[edit] [rdf]
labels
attachments
(2013-04-16)

Problem

I have installed a bind instance from RPM and all it does is SERVFAIL.

Debug logging shows this:

16-Apr-2013 12:08:35.875 resolver: debug 1: createfetch: google.ca A
16-Apr-2013 12:08:35.876 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.876 resolver: debug 1: createfetch: ca DS
16-Apr-2013 12:08:35.876 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.876 lame-servers: info: error (no valid DS) resolving 'google.ca/A/IN': 192.168.1.101#53
16-Apr-2013 12:08:35.877 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.877 resolver: debug 1: createfetch: ca DS
16-Apr-2013 12:08:35.877 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.878 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.878 resolver: debug 1: createfetch: ca DS
16-Apr-2013 12:08:35.878 database: debug 1: decrement_reference: delete from rbt: 0x7f7f64ab2010 google.ca
16-Apr-2013 12:08:35.878 query-errors: debug 1: client 192.168.132.6#1244: query failed (SERVFAIL) for google.ca/IN/A at query.c:6560

Solution

The hint is that "DS" is a directory certificate or something.

Turn off DNSSEC.

options{
…
        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside no;
…
}

Alternatively, set up DNSSEC properly. This is apparently left as an exercise for the reader.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt