Have you disabled EDNS to these servers in named.conf? DNSSEC responses are only returned if DO=1 is set in the request. Named can learn that a server doesn’t support EDNS if it doesn’t return EDNS responses consistently to EDNS requests. If that happens named will send plain DNS requests.
Mark > On 12 Mar 2024, at 22:50, Borja Marcos <bor...@sarenet.es> wrote: > > Hi, > > This is driving me nuts. I have three BIND 9.18.24 running on FreeBSD. Two of > them on FreeBSD 14, one on FreeBSD 13.2. > > Just one of the servers is failing to resolve a single domain compared to the > other two: checkpoint.com <http://checkpoint.com/>. > > I get these errors: > > <142>1 2024-03-12T11:36:21.957013+00:00 dnsanycast named 86604 - - insecurity > proof failed resolving 'checkpoint.com/A/IN': 198.51.44.65#53 > <142>1 2024-03-12T11:36:21.941389+00:00 dnsanycast named 86604 - - insecurity > proof failed resolving 'checkpoint.com/A/IN': 198.51.45.1#53 > <142>1 2024-03-12T11:36:21.924666+00:00 dnsanycast named 86604 - - insecurity > proof failed resolving 'checkpoint.com/A/IN': 198.51.45.65#53 > <142>1 2024-03-12T11:36:21.907492+00:00 dnsanycast named 86604 - - insecurity > proof failed resolving 'checkpoint.com/A/IN': 198.51.44.1#53 > > and > these: validating checkpoint.com/A: got insecure response; parent indicates > it should be secure > > And ultimately my DNS servers returns a SERVFAIL. > > The puzzling thing is, the other two servers work (this is a check on a > different server from the same pool). > > ; <<>> DiG 9.18.24 <<>> @127.0.0.1 checkpoint.com. > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40171 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: aa16c8ceb3a9eee90100000065f0416206a44938e6d8f2b4 (good) > ;; QUESTION SECTION: > ;checkpoint.com. IN A > > ;; ANSWER SECTION: > checkpoint.com. 18 IN A 54.230.112.31 > checkpoint.com. 18 IN A 54.230.112.106 > checkpoint.com. 18 IN A 54.230.112.68 > checkpoint.com. 18 IN A 54.230.112.55 > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) > ;; WHEN: Tue Mar 12 11:49:54 UTC 2024 > ;; MSG SIZE rcvd: 135 > > > > I have the same configuration, using dnssec-validation set to auto. > > Any clue on what might be failing? I am really lost! > > Thanks, > > > > > > Borja. > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
