19 Kvě
2022
19 Kvě
'22
12:40
Am Donnerstag, Mai 05, 2022 12:46 CEST, schrieb Vladimír Čunát
<vladimir.cunat(a)nic.cz>cz>:
Hello.
On 29/04/2022 08.48, Jürgen Echter wrote:
Hi,
now the error is happening again, but i do not see any ;; EDE; in kdig output. Only
status: SERVFAIL, but i do have debug enabled for the domain.
Installed versions:
knot-libs.x86_64 3.1.8-1.el8 @epel
knot-resolver.x86_64 5.5.0-1.el8 @epel
knot-utils.x86_64 3.1.8-1.el8 @epel
debug log:
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][policy][53187.00] request packet:
;; ->>HEADER<<- opcode: QUERY; status:
NOERROR; id: 53187
;; Flags: rd QUERY: 1; ANSWER: 0; AUTHORITY: 0;
ADDITIONAL: 0
;; QUESTION SECTION
dovecot.org. A
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][iterat][53187.00] 'dovecot.org.'
type 'A' new uid was assigned .01, parent uid .00
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.01] => skipping exact
RR: rank 060 (min. 030), new TTL -145392
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.01] => no NSEC* cached
for zone: dovecot.org.
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.01] => skipping zone:
dovecot.org., NSEC, hash 0;new TTL -123456789, ret -2
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.01] => skipping zone:
dovecot.org., NSEC, hash 0;new TTL -123456789, ret -2
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][zoncut][53187.01] found cut:
dovecot.org. (rank 002 return codes: DS 0, DNSKEY -116)
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][plan ][53187.01] plan
'dovecot.org.' type 'DNSKEY' uid [53187.02]
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][iterat][53187.02]
'dovecot.org.' type 'DNSKEY' new uid was assigned .03, parent uid .01
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.03] => skipping exact
RR: rank 060 (min. 030), new TTL -124092
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.03] => no NSEC*
cached for zone: dovecot.org.
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.03] => skipping zone:
dovecot.org., NSEC, hash 0;new TTL -123456789, ret -2
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.03] => skipping zone:
dovecot.org., NSEC, hash 0;new TTL -123456789, ret -2
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][select][53187.03] => id:
'27107' choosing to resolve A: 'pdns-public-ns2.powerdns.com.' zone cut:
'dovecot.org.'
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][plan ][53187.03] plan
'pdns-public-ns2.powerdns.com.' type 'A' uid [53187.04]
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][iterat][53187.04]
'pdns-public-ns2.powerdns.com.' type 'A' new uid was assigned .05, parent
uid .03
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.05] => skipping
exact RR: rank 060 (min. 000), new TTL -141973
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.05] => no NSEC*
cached for zone: powerdns.com.
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.05] => skipping
zone: powerdns.com., NSEC, hash 0;new TTL -123456789, ret -2
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.05] => skipping
zone: powerdns.com., NSEC, hash 0;new TTL -123456789, ret -2
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][zoncut][53187.05] found cut:
powerdns.com. (rank 002 return codes: DS 0, DNSKEY -116)
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][plan ][53187.05] plan
'powerdns.com.' type 'DNSKEY' uid [53187.06]
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][iterat][53187.06]
'powerdns.com.' type 'DNSKEY' new uid was assigned .07, parent uid .05
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.07] => skipping
exact RR: rank 060 (min. 030), new TTL -141973
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.07] => no NSEC*
cached for zone: powerdns.com.
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.07] => skipping
zone: powerdns.com., NSEC, hash 0;new TTL -123456789, ret -2
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][cache ][53187.07] => skipping
zone: powerdns.com., NSEC, hash 0;new TTL -123456789, ret -2
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][select][53187.07] => id:
'63719' no suitable transport, zone cut: 'powerdns.com.'
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][iterat][53187.07]
'powerdns.com.' type 'DNSKEY' new uid was assigned .08, parent uid .05
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][select][53187.08] => id:
'42529' no suitable transport, zone cut: 'powerdns.com.'
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][resolv][53187.08] AD: request NOT
classified as SECURE
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][resolv][53187.05] finished in state:
8, queries: 1, mempool: 32800 B
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][policy][53187.00] following rrsets were
marked as interesting:
Mai 19 12:31:03 myserver kresd[99290]: [reqdbg][policy][53187.00] answer packet:
;; ->>HEADER<<- opcode: QUERY; status:
SERVFAIL; id: 53187
;; Flags: qr rd ra QUERY: 1; ANSWER: 0; AUTHORITY: 0;
ADDITIONAL: 0
;; QUESTION SECTION
dovecot.org. A
Thanks a lot in advance
Juergen
Anything i can do to track this down?
First hint about what's wrong would be to inspect the extended error
returned in the packet. Old dig doesn't show it, but e.g. (current)
kdig does, on a line prefixed by ";; EDE:"
Logs about a failing query would be most useful, probably. Our docs
have an example for verbose logging restricted to failing queries in
chosen subtrees:
https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#policy.D…
--Vladimir