[Pdns-users] DNSSEC name not resolved

Federico Olivieri lvrfrc87 at gmail.com
Thu Apr 28 14:52:27 UTC 2016 

Hi everybody,

On my dns server running pdns recursor I have noticed that I am not able to
reslove the domain www.hollandandbarrett.com if I have DNSSEC enabled


root at raspberrypi:~# dig www.hollandandbarrett.com

; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> www.hollandandbarrett.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21062
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.hollandandbarrett.com.     IN      A

;; Query time: 554 msec
;; SERVER: 172.16.0.2#53(172.16.0.2)
;; WHEN: Thu Apr 28 08:26:42 UTC 2016
;; MSG SIZE  rcvd: 54

root at raspberrypi:~# dig www.hollandandbarrett.com +trace

; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> www.hollandandbarrett.com +trace
;; global options: +cmd
.                       86283   IN      NS      h.root-servers.net.
.                       86283   IN      NS      i.root-servers.net.
.                       86283   IN      NS      f.root-servers.net.
.                       86283   IN      NS      m.root-servers.net.
.                       86283   IN      NS      k.root-servers.net.
.                       86283   IN      RRSIG   NS 8 0 518400
20160507170000 20160427160000 60615 .
j2bBV9oiLgxJ9A7FvSPBdqACWI8Uw86wsMTuHDP3IeGYa5VSLBWi69OP
d+nJyDof+9hPStbVSD7uV8tdPK78c8+3gDvrGkbaZBjiym4DXaauVhiw
kTxfmFr8LxnasF+ESvI4uLauUtsrGTC6ug+lgbBLJtTbLdpPOLUXHwHj oKQ=
.                       86283   IN      NS      c.root-servers.net.
.                       86283   IN      NS      d.root-servers.net.
.                       86283   IN      NS      a.root-servers.net.
.                       86283   IN      NS      l.root-servers.net.
.                       86283   IN      NS      e.root-servers.net.
.                       86283   IN      NS      j.root-servers.net.
.                       86283   IN      NS      b.root-servers.net.
.                       86283   IN      NS      g.root-servers.net.
;; Received 397 bytes from 172.16.0.2#53(172.16.0.2) in 347 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20160507170000
20160427160000 60615 .
YOT5cYN8+11DQUxc2anndZ5dApZQOCTuGHIhtFJxLrohG0t+NZIbEiaw
2u1dQwYWIoX5p55CNbqrYAgVmMGPdse9mG5pBA6k7pTZrE+D+ntYAJpd
/JatcilNAfA6FrRLVxiQjOfdqun78tkTolzxmvVbRen7ZYUY9xIAOsyk a80=
;; Received 749 bytes from 202.12.27.33#53(m.root-servers.net) in 882 ms

hollandandbarrett.com.  172800  IN      NS      ns1.nbty.net.
hollandandbarrett.com.  172800  IN      NS      ns2.nbty.net.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 -
CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400
20160502045841 20160425034841 34745 com.
eTc6yc1G33jNdyDy+1e2SW+6qRIWht5EKnKeMO9cPxGC/KQ2VXrNKyA+
hK+yneELNfEvH+RZuSKzhYIqeMYp++4j7Lcl10AAydUte6ZElrJihmcs
4jhQVE5NOlCBOEUxiI6JxWPBcR8dKSl3CZjNKUyNuEWcH99B4RD+EHc3 3xo=
9IPRJFKOE8KVSCTP1HLCMUBS8HLU4PLE.com. 86400 IN NSEC3 1 1 0 -
9IPV4DHBFMP2AV0DLSHT8RO2DRQUOKQQ NS DS RRSIG
9IPRJFKOE8KVSCTP1HLCMUBS8HLU4PLE.com. 86400 IN RRSIG NSEC3 8 2 86400
20160502044659 20160425033659 34745 com.
UaFiKDBH8sk3e5JaGaSNV4q3spPdoaD4ai6HueJsCzMZm+p4c7wUlYhO
xPYLgv3MKZPfWO0j3yg2poZk4Tt39ddtRezrSet+E05zUFwzKo4ZRfeV
mox8V0MAFH/AaPDxSaALe53cz7T8ZNBPVdkKomDEc+ODKiTlsRE4/D37 OUg=
;; Received 615 bytes from 192.48.79.30#53(j.gtld-servers.net) in 678 ms

;; Received 43 bytes from 62.200.53.102#53(ns2.nbty.net) in 25 ms

If I change it from validate to off, I am able to resolve the name

root at raspberrypi:~# dig www.hollandandbarrett.com

; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> www.hollandandbarrett.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19677
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.hollandandbarrett.com.     IN      A

;; ANSWER SECTION:
www.hollandandbarrett.com. 600  IN      CNAME
ssl.hollandandbarrett.com.c.footprint.net.
ssl.hollandandbarrett.com.c.footprint.net. 230 IN A 8.247.17.216
ssl.hollandandbarrett.com.c.footprint.net. 230 IN A 8.247.25.216

;; Query time: 786 msec
;; SERVER: 172.16.0.2#53(172.16.0.2)
;; WHEN: Thu Apr 28 08:29:51 UTC 2016
;; MSG SIZE  rcvd: 141

Any idea why?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160428/2a1b3d0c/attachment.html>

More information about the Pdns-users mailing list