Re: Can not get a lick of debug information for a slew of queries that are coming back SERVFAIL
Hi,
I do not know why you would be getting SERVFAIL, but the name ksc.wiki
appears to not exist from my perspective:
% dig ksc.wiki
; <<>> DiG 9.10.6 <<>> ksc.wiki
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26112
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ksc.wiki.INA
;; AUTHORITY SECTION:
wiki.856INSOAa.nic.wiki. admin.tldns.godaddy.
1745315047 1800 300 604800 1800
;; Query time: 8 msec
;; SERVER: 192.168.40.42#53(192.168.40.42)
;; WHEN: Tue Apr 22 05:49:30 EDT 2025
;; MSG SIZE rcvd: 98
Perhaps try `dig ksc.wiki +cd` as wiki seems to be signed. Perhaps
validation of the non-existence is failing for some reason?
Thank you,
Darren Ankney
On Tue, Apr 22, 2025 at 4:28 AM The Gorf wrote:
>
> bind version:BIND 9.18.33-1~deb12u2-Debian (Extended Support Version)
>
> So it's pretty simple. Im getting a ton of SERVFAILs randomly and I can
> neither figure out why nor figure out how to get bind to give me debug
> information about why. The documentation here:
> https://kb.isc.org/docs/aa-01526
> Hurts my head to read and references stuff that I can't figure out where in
> the documentation it is to explain what it is.
>
> I took the exact document on that page and switched everything to "debug" and
> I have reset the server, rebooted the server, nothing. Here is the exact one
> line bind produces in its logs for the query that is generating the SERVFAIL:
>
> 22-Apr-2025 01:08:17.138 queries: info: client @0x7ffa3cb78168
> 192.168.8.104#47099 (ksc.wiki): query: ksc.wiki IN A + (10.30.160.20)
>
> Nothing. And here is the query-errors file:
> geoff@NS1:/var/log/named$ cat query-errors | grep -i wiki
> geoff@NS1:/var/log/named$
> zilch.
>
> So. what am I doing wrong here? Why can't I get any debug info out of this?
>
> logging {
> channel default_log {
> file "/var/log/named/default" versions 3 size 20m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity debug;
> };
> channel auth_servers_log {
> file "/var/log/named/auth_servers" versions 100 size 20m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity debug;
> };
> channel dnssec_log {
> file "/var/log/named/dnssec" versions 3 size 20m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity debug;
> };
> channel zone_transfers_log {
> file "/var/log/named/zone_transfers" versions 3 size 20m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity debug;
> };
> channel ddns_log {
> file "/var/log/named/ddns" versions 3 size 20m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity debug;
> };
> channel client_security_log {
> file "/var/log/named/client_security" versions 3 size 20m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity debug;
> };
> channel rate_limiting_log {
> file "/var/log/named/rate_limiting" versions 3 size 20m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity debug;
> };
> channel rpz_log {
> file "/var/log/named/rpz" versions 3 size 20m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity debug;
> };
> channel dnstap_log {
> file "/var/log/named/dnstap" versions 3 size 20m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity debug;
> };
> //
> // If you have the category ‘queries’ defined, and you don’t want query
> logging
> // by default, make sure you add option ‘querylog no;’ - then you can toggle
> // query logging on (and off again) using command ‘rndc querylog’
> //
> channel queries_log {
> file "/var/log/named/queries" versions 600 size 20m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity debug;
> };
> //
> // This channel is dynamic so that when the debug level is increased using
> // rndc while the server is running, extra information will be logged about
> // failing queries. Other debug information for other categories will be
> // sent to the channel default_debug (which is also dynamic), but without
> // affecting the regular logging.
> //
> channel query-errors_log {
> file "/var/log/named/query-errors" versions 5 size 20m;
> print-time yes;
> print-category yes;
> print-seve
Re: DNSVIZ errors
I think I know what is going on. There is a variable ‘maxlabels’ that is used in the binary search that optimised the closest enclosure search. That updated value was being use later rather than it's original value when determining the NSEC3 that proves the NOQNAME resulting in the wrong NSEC3 being added to the response. > On 22 Apr 2025, at 00:55, akritrim® Intelligence™ via bind-users > wrote: > > version: BIND 9.20.8-1+0~20250416.117+debian12~1.gbp1ea9dd-Debian (Stable > Release) (<>) > running on localhost: Linux x86_64 6.1.0-33-cloud-amd64 #1 SMP > PREEMPT_DYNAMIC Debian 6.1.133-1 (2025-04-10) > boot time: Sun, 20 Apr 2025 15:40:59 GMT > last configured: Sun, 20 Apr 2025 15:40:59 GMT > configuration file: /etc/bind/named.conf > CPUs found: 1 > worker threads: 1 > number of zones: 10 (0 automatic) > debug level: 0 > xfers running: 0 > xfers deferred: 0 > xfers first refresh: 0 > soa queries in progress: 0 > query logging is ON > response logging is OFF > memory profiling is INACTIVE > recursive clients: 0/900/1000 > recursive high-water: 0 > tcp clients: 0/150 > TCP high-water: 25 > server is up and running > > > is this any way related to this? > > From 9.20.8 release notes: > > Restore NSEC3 closest-encloser lookup improvements. > > A performance improvement for finding the closest encloser when generating > authoritative responses from NSEC3 zones was previously reverted after a bug > was found that could trigger an assertion failure. ([GL #4460], [GL #4950], > and [GL #5108]) The bug has now been fixed, and the performance improvement > has been restored. [GL #5204] > > > > On 21/04/2025 7:12 pm, Mark Andrews wrote: >> What does ‘rndc status’ return? >>> On 21 Apr 2025, at 13:05, akritrim® Intelligence™ via bind-users >>> wrote: >>> Thank you for your help. it does give insights into the problem. >>> if you check dnsviz history, this does not happen everytime. >>> the bind version is BIND 9.20.8-1+0~20250416.117+debian12~1.gbp1ea9dd-Debian >>> obtained from: https://www.isc.org/download/ —-> >>> https://bind.debian.net/bind >>> there are no firewalls or load balancers. these are directly connected to >>> internet. i was running BIND 9.18 official debian package and got no errors >>> like this. >>> On 21/04/2025 4:46 am, Crist Clark wrote: The version of BIND and where you got it would be a good start. Any load balancers, firewalls, etc. between the server and internet that might touch the DNS records? True DNSSEC gurus please check my math. DNSvis is correct. You're not sending the proper NSEC3 records. Like the RFC says, "It takes three to tango," or NSEC3 denial of existence. You sent two. For a name where two levels of label don't exists, l5tz4.1i89a.akritrim.net You should send back three NSEC3 records, 1) NSEC3 record that proves 1i89a.akritrim.net ( 18QMAAOCT0HPNGCPD9MLONVAK13DS8HT) does not exist. 2) NSEC3 record for akritrim.net (N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P). 3) NSEC3 record proving the wildcard, *.akritrim.net ( 6L23GRBE4JIMA1A0G8DSBBUT32V6VCO1), does not exist. But you're not, you're only sending two, N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net. 600 IN NSEC3 1 0 0 - QDO3A5R9G64L616H1K2FF3SUMFPPRV3J A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY CAA 67QJN06FLKRQCT38S4FF08EP31NDRL8S.akritrim.net. 600 IN NSEC3 1 0 0 - 6LPNNJIVL1267OV5QQSBFLMFIDHMHJ8P TXT RRSIG Those are two I'd expect to see for (2) and (3), but where is (1)? But it's weirder. For this name, ebzoq.ik7ub.akritrim.net You are sending three NSEC3, but one doesn't look like the right one. You should send, 1) NSEC3 record that proves 1i89a.akritrim.net ( S2NOKIAA732BLNNSEMCJ8KV74H6ICUEP) does not exist. 2) NSEC3 record for akritrim.net (N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P). 3) NSEC3 record proving the wildcard, *.akritrim.net ( 6L23GRBE4JIMA1A0G8DSBBUT32V6VCO1), does not exist. But these get sent, N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net. 600 IN NSEC3 1 0 0 - QDO3A5R9G64L616H1K2FF3SUMFPPRV3J A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY CAA I559SEFHCJO35HED2LU4N68B44CA281V.akritrim.net. 600 IN NSEC3 1 0 0 - KOGD0HOUD9R7BAB4LKQR2E9ALI57C7N0 A RRSIG CAA 67QJN06FLKRQCT38S4FF08EP31NDRL8S.akritrim.net. 600 IN NSEC3 1 0 0 - 6LPNNJIVL1267OV5QQSBFLMFIDHMHJ8P TXT RRSIG The first and last are the same two we got previously and line up with (2) and (3). But we get this other one that doesn't line up with (1). But what I /think/ that might be is the record that would prove ebzoq.ik7ub.akritrim.net (IAT39F3MSSGS2D4O255VNHB67V2GCNVI) does not exist in its place. On Sun, Apr 20, 2025 at 10:29 AM akritrim® Intelligence™ via bind-users < bind-users@lists.isc.org> wrote: > i didn't specifically ask for your help. i don't know why you replied. yes > i do
Can not get a lick of debug information for a slew of queries that are coming back SERVFAIL
bind version:BIND 9.18.33-1~deb12u2-Debian (Extended Support Version)
So it's pretty simple. Im getting a ton of SERVFAILs randomly and I can
neither figure out why nor figure out how to get bind to give me debug
information about why. The documentation here:
https://kb.isc.org/docs/aa-01526
Hurts my head to read and references stuff that I can't figure out where in
the documentation it is to explain what it is.
I took the exact document on that page and switched everything to "debug"
and I have reset the server, rebooted the server, nothing. Here is the
exact one line bind produces in its logs for the query that is generating
the SERVFAIL:
22-Apr-2025 01:08:17.138 queries: info: client @0x7ffa3cb78168
192.168.8.104#47099 (ksc.wiki): query: ksc.wiki IN A + (10.30.160.20)
Nothing. And here is the query-errors file:
geoff@NS1:/var/log/named$ cat query-errors | grep -i wiki
geoff@NS1:/var/log/named$
zilch.
So. what am I doing wrong here? Why can't I get any debug info out of this?
logging {
channel default_log {
file "/var/log/named/default" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug;
};
channel auth_servers_log {
file "/var/log/named/auth_servers" versions 100 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug;
};
channel dnssec_log {
file "/var/log/named/dnssec" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug;
};
channel zone_transfers_log {
file "/var/log/named/zone_transfers" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug;
};
channel ddns_log {
file "/var/log/named/ddns" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug;
};
channel client_security_log {
file "/var/log/named/client_security" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug;
};
channel rate_limiting_log {
file "/var/log/named/rate_limiting" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug;
};
channel rpz_log {
file "/var/log/named/rpz" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug;
};
channel dnstap_log {
file "/var/log/named/dnstap" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug;
};
//
// If you have the category ‘queries’ defined, and you don’t want query
logging
// by default, make sure you add option ‘querylog no;’ - then you can toggle
// query logging on (and off again) using command ‘rndc querylog’
//
channel queries_log {
file "/var/log/named/queries" versions 600 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug;
};
//
// This channel is dynamic so that when the debug level is increased using
// rndc while the server is running, extra information will be logged about
// failing queries. Other debug information for other categories will be
// sent to the channel default_debug (which is also dynamic), but without
// affecting the regular logging.
//
channel query-errors_log {
file "/var/log/named/query-errors" versions 5 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug;
};
//
// This is the default syslog channel, defined here for clarity. You don’t
// have to use it if you prefer to log to your own channels.
// It sends to syslog’s daemon facility, and sends only logged messages
// of priority info and higher.
// (The options to print time, category and severity are non-default.)
//
channel default_syslog {
print-time yes;
print-category yes;
print-severity yes;
syslog daemon;
severity debug;
};
//
// This is the default debug output channel, defined here for clarity. You
// might want to redefine the output destination if it doesn’t fit with your
// local system administration plans for logging. It is also a special
// channel that only produces output if the debug level is non-zero.
//
channel default_debug {
print-time yes;
print-category yes;
print-severity yes;
file "named.run";
severity debug;
};
//
// Log routine stuff to syslog and default log:
//
category default { default_syslog; default_debug; defaul
Bash automation for Bind (small office/home office)
Hello, I developed a Bash script to automate the installation and configuration of open-source software (i.e., launchpad.net/linuxsoho). I want to make sure the syntax of this script is perfect so I can use it as a teaching tool to educate people about Linux. I need to know if there is anything misconfigured with my Bind syntax. If you find a bug in LinuxSOHO, please submit a bug report to bugs.launchpad.net/linuxsoho/+filebug. Kind regards, Travis Bean -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
