[systemd-devel] ** server can't find gnu.org: SERVFAIL
Mantas Mikulėnas
grawity at gmail.com
Wed Dec 20 17:24:39 UTC 2017
On Wed, Dec 20, 2017 at 7:11 PM, Reindl Harald <h.reindl at thelounge.net>
wrote:
>
>
> Am 20.12.2017 um 10:05 schrieb D Gilmore:
>
>> Why is this happening? I am an average user trying to get to the
>> www.gnu.org website. I have no problem with any other website at the
>> moment. I have spent hours googling and asking questions on forums trying
>> to solve this problem. But I do not know how to resolve this. I have tried
>> different solutions only to get myself into more trouble. I am using Ubuntu
>> 17.04 64bit which is a new installation with very few additions. I do have
>> Ghostery and a Ad Blocker on both browsers (firefox and chrome) but there
>> is no effect with them enabled or disabled
>>
>
> https://dnssec-debugger.verisignlabs.com/gnu.org
> No DS records found for gnu.org in the org zone
>
That's fine. If the delegation has no DS records, resolvers just treat the
whole zone as unsigned. (Otherwise bootstrapping a signed zone would be
quite difficult.)
You're probably thinking of the opposite situation -- DS in the parent, but
no keys/signatures in the zone itself -- which *would* result in a
validation failure.
> why do you think that is systemd related and what operating system are you
> running? most likely something like below is enabled on your system and
> DNSSEC for gnu.org seems to be fucked up
>
>
No, what is fucked up is gnu.org's nameservers *themselves*. Two out of
four nameservers (ns{1..4}.gnu.org) are completely down at the moment. So
the SERVFAIL most likely just indicates that `resolved` gave up waiting for
a reply -- it doesn't necessarily mean a validation failure.
I'm not sure what the official retry rules are -- I'd expect the resolver
to keep trying until it finds a working nameserver, instead of giving up
mid-way. But instead, I have seen the same behavior with Unbound as well --
it would give up and return SERVFAIL after trying just one or two
nameservers.
--
Mantas Mikulėnas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20171220/83f0e448/attachment.html>
More information about the systemd-devel
mailing list