Discussion:
** server can't find gnu.org: SERVFAIL
(too old to reply)
D Gilmore
2017-12-20 09:05:11 UTC
Permalink
Raw Message
Why is this happening? I am an average user trying to get to the www.gnu.org website. I have no problem with any other website at the moment. I have spent hours googling and asking questions on forums trying to solve this problem. But I do not know how to resolve this. I have tried different solutions only to get myself into more trouble. I am using Ubuntu 17.04 64bit  which is a new installation with very few additions. I do have Ghostery and a Ad Blocker on both browsers (firefox and chrome) but there is no effect with them enabled or disabled.
So here is where I am up to:
So many resolv.conf files in different folders /etc, /etc/systemd, run/systemd/resolve, run/resolvconf and so many other places I dont know about. Why is it not mentioned in the manual pages how to configure them manual or automatically? So many people have different ideas on how to correct this problem online that my head hurts!I have change one file at /etc/systemd/resolv.conf without any effort on the problem. Set DNSSEC=off and added google DNS servers.
Now I will show you the output I am currently dealing with, for which I do not have an answer to.// Where is this config status stored??? In /etc/systemd/resolv.conf ???
$ systemd-resolve --status
Global
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 2 (enp4s0)
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.0.1
---------------------------------------------------------------
//Why is it not looking at my router IP address? (192.168.0.1)
//Yet with IP address of gnu.org I have success! Why?
$ nslookup 208.118.235.148Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
148.235.118.208.in-addr.arpa    name = wildebeest.gnu.org.

Authoritative answers can be found from:
-------------------------------------------------------------------------
//Yet the standard name lookup failed! Why?//Still not my router IP address!
$ nslookup gnu.orgServer:        127.0.0.53
Address:    127.0.0.53#53

** server can't find gnu.org: SERVFAIL

------------------------------------------------------------------------
//Told to do this and got SERVFAIL$ dig zeus2

; <<>> DiG 9.10.3-P4-Ubuntu <<>> zeus2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29581
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;zeus2.                IN    A

;; Query time: 868 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Dec 20 07:48:41 AEDT 2017
;; MSG SIZE  rcvd: 34
----------------------------------------------------------------------------------------//My router ip address gave me a good response, i think?

$ dig @192.168.0.1 zeus2.lan

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.0.1 zeus2.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56529
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zeus2.lan.            IN    A

;; AUTHORITY SECTION:
.            74527    IN    SOA    a.root-servers.net. nstld.verisign-grs.com. 2017121901 1800 900 604800 86400

;; Query time: 289 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Wed Dec 20 07:50:10 AEDT 2017
;; MSG SIZE  rcvd: 113
-----------------------------------------------------------------------------------------------------------This is where I am up to and i need some guidance how to proceed.
Any help with this dilemma would be most appreciated. 
Reindl Harald
2017-12-20 17:11:11 UTC
Permalink
Raw Message
Am 20.12.2017 um 10:05 schrieb D Gilmore:
> Why is this happening? I am an average user trying to get to the
> www.gnu.org website. I have no problem with any
> other website at the moment. I have spent hours googling and asking
> questions on forums trying to solve this problem. But I do not know how
> to resolve this. I have tried different solutions only to get myself
> into more trouble. I am using Ubuntu 17.04 64bit  which is a new
> installation with very few additions. I do have Ghostery and a Ad
> Blocker on both browsers (firefox and chrome) but there is no effect
> with them enabled or disabled

https://dnssec-debugger.verisignlabs.com/gnu.org
No DS records found for gnu.org in the org zone

> So here is where I am up to:
> So many resolv.conf files in different folders /etc, /etc/systemd,
> run/systemd/resolve, run/resolvconf and so many other places I dont know
> about. Why is it not mentioned in the manual pages how to configure them
> manual or automatically?

> $ systemd-resolve --status
>       Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
>        LLMNR setting: yes
> MulticastDNS setting: no
>       DNSSEC setting: no
>     DNSSEC supported: no
>          DNS Servers: 192.168.0.1
> ---------------------------------------------------------------
> //Why is it not looking at my router IP address? (192.168.0.1)
> //Yet with IP address of gnu.org I have success! Why?

because your systemd is configured not to do so

why do you think that is systemd related and what operating system are
you running? most likely something like below is enabled on your system
and DNSSEC for gnu.org seems to be fucked up

https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver

> $ nslookup 208.118.235.148
> Server:        127.0.0.53
> Address:    127.0.0.53#53
>
> Non-authoritative answer:
> 148.235.118.208.in-addr.arpa    name = wildebeest.gnu.org.
Mantas Mikulėnas
2017-12-20 17:24:39 UTC
Permalink
Raw Message
On Wed, Dec 20, 2017 at 7:11 PM, Reindl Harald <***@thelounge.net>
wrote:

>
>
> Am 20.12.2017 um 10:05 schrieb D Gilmore:
>
>> Why is this happening? I am an average user trying to get to the
>> www.gnu.org website. I have no problem with any other website at the
>> moment. I have spent hours googling and asking questions on forums trying
>> to solve this problem. But I do not know how to resolve this. I have tried
>> different solutions only to get myself into more trouble. I am using Ubuntu
>> 17.04 64bit which is a new installation with very few additions. I do have
>> Ghostery and a Ad Blocker on both browsers (firefox and chrome) but there
>> is no effect with them enabled or disabled
>>
>
> https://dnssec-debugger.verisignlabs.com/gnu.org
> No DS records found for gnu.org in the org zone
>

That's fine. If the delegation has no DS records, resolvers just treat the
whole zone as unsigned. (Otherwise bootstrapping a signed zone would be
quite difficult.)

You're probably thinking of the opposite situation -- DS in the parent, but
no keys/signatures in the zone itself -- which *would* result in a
validation failure.


> why do you think that is systemd related and what operating system are you
> running? most likely something like below is enabled on your system and
> DNSSEC for gnu.org seems to be fucked up
>
>
No, what is fucked up is gnu.org's nameservers *themselves*. Two out of
four nameservers (ns{1..4}.gnu.org) are completely down at the moment. So
the SERVFAIL most likely just indicates that `resolved` gave up waiting for
a reply -- it doesn't necessarily mean a validation failure.

I'm not sure what the official retry rules are -- I'd expect the resolver
to keep trying until it finds a working nameserver, instead of giving up
mid-way. But instead, I have seen the same behavior with Unbound as well --
it would give up and return SERVFAIL after trying just one or two
nameservers.

--
Mantas Mikulėnas
D Gilmore
2017-12-21 03:20:48 UTC
Permalink
Raw Message
Thank you for the information about gnu.org nameservers being down. I am so grateful for that advice. Sorry if it's not really a technical matter but it is so frustrating on forums that give such bad suggests. You get lost in that maze for hours without someone with real technical know how helping you.
Loading...