Discussion:
** server can't find gnu.org: SERVFAIL
(too old to reply)
D Gilmore
2017-12-20 09:05:11 UTC
Permalink
Why is this happening? I am an average user trying to get to the www.gnu.org website. I have no problem with any other website at the moment. I have spent hours googling and asking questions on forums trying to solve this problem. But I do not know how to resolve this. I have tried different solutions only to get myself into more trouble. I am using Ubuntu 17.04 64bit  which is a new installation with very few additions. I do have Ghostery and a Ad Blocker on both browsers (firefox and chrome) but there is no effect with them enabled or disabled.
So here is where I am up to:
So many resolv.conf files in different folders /etc, /etc/systemd, run/systemd/resolve, run/resolvconf and so many other places I dont know about. Why is it not mentioned in the manual pages how to configure them manual or automatically? So many people have different ideas on how to correct this problem online that my head hurts!I have change one file at /etc/systemd/resolv.conf without any effort on the problem. Set DNSSEC=off and added google DNS servers.
Now I will show you the output I am currently dealing with, for which I do not have an answer to.// Where is this config status stored??? In /etc/systemd/resolv.conf ???
$ systemd-resolve --status
Global
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 2 (enp4s0)
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.0.1
---------------------------------------------------------------
//Why is it not looking at my router IP address? (192.168.0.1)
//Yet with IP address of gnu.org I have success! Why?
$ nslookup 208.118.235.148Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
148.235.118.208.in-addr.arpa    name = wildebeest.gnu.org.

Authoritative answers can be found from:
-------------------------------------------------------------------------
//Yet the standard name lookup failed! Why?//Still not my router IP address!
$ nslookup gnu.orgServer:        127.0.0.53
Address:    127.0.0.53#53

** server can't find gnu.org: SERVFAIL

------------------------------------------------------------------------
//Told to do this and got SERVFAIL$ dig zeus2

; <<>> DiG 9.10.3-P4-Ubuntu <<>> zeus2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29581
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;zeus2.                IN    A

;; Query time: 868 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Dec 20 07:48:41 AEDT 2017
;; MSG SIZE  rcvd: 34
----------------------------------------------------------------------------------------//My router ip address gave me a good response, i think?

$ dig @192.168.0.1 zeus2.lan

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.0.1 zeus2.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56529
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zeus2.lan.            IN    A

;; AUTHORITY SECTION:
.            74527    IN    SOA    a.root-servers.net. nstld.verisign-grs.com. 2017121901 1800 900 604800 86400

;; Query time: 289 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Wed Dec 20 07:50:10 AEDT 2017
;; MSG SIZE  rcvd: 113
-----------------------------------------------------------------------------------------------------------This is where I am up to and i need some guidance how to proceed.
Any help with this dilemma would be most appreciated. 
Reindl Harald
2017-12-20 17:11:11 UTC
Permalink
Post by D Gilmore
Why is this happening? I am an average user trying to get to the
www.gnu.org website. I have no problem with any
other website at the moment. I have spent hours googling and asking
questions on forums trying to solve this problem. But I do not know how
to resolve this. I have tried different solutions only to get myself
into more trouble. I am using Ubuntu 17.04 64bit  which is a new
installation with very few additions. I do have Ghostery and a Ad
Blocker on both browsers (firefox and chrome) but there is no effect
with them enabled or disabled
https://dnssec-debugger.verisignlabs.com/gnu.org
No DS records found for gnu.org in the org zone
Post by D Gilmore
So many resolv.conf files in different folders /etc, /etc/systemd,
run/systemd/resolve, run/resolvconf and so many other places I dont know
about. Why is it not mentioned in the manual pages how to configure them
manual or automatically?
$ systemd-resolve --status
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.0.1
---------------------------------------------------------------
//Why is it not looking at my router IP address? (192.168.0.1)
//Yet with IP address of gnu.org I have success! Why?
because your systemd is configured not to do so

why do you think that is systemd related and what operating system are
you running? most likely something like below is enabled on your system
and DNSSEC for gnu.org seems to be fucked up

https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver
Post by D Gilmore
$ nslookup 208.118.235.148
Server:        127.0.0.53
Address:    127.0.0.53#53
148.235.118.208.in-addr.arpa    name = wildebeest.gnu.org.
Mantas Mikulėnas
2017-12-20 17:24:39 UTC
Permalink
Post by Reindl Harald
Post by D Gilmore
Why is this happening? I am an average user trying to get to the
www.gnu.org website. I have no problem with any other website at the
moment. I have spent hours googling and asking questions on forums trying
to solve this problem. But I do not know how to resolve this. I have tried
different solutions only to get myself into more trouble. I am using Ubuntu
17.04 64bit which is a new installation with very few additions. I do have
Ghostery and a Ad Blocker on both browsers (firefox and chrome) but there
is no effect with them enabled or disabled
https://dnssec-debugger.verisignlabs.com/gnu.org
No DS records found for gnu.org in the org zone
That's fine. If the delegation has no DS records, resolvers just treat the
whole zone as unsigned. (Otherwise bootstrapping a signed zone would be
quite difficult.)

You're probably thinking of the opposite situation -- DS in the parent, but
no keys/signatures in the zone itself -- which *would* result in a
validation failure.
Post by Reindl Harald
why do you think that is systemd related and what operating system are you
running? most likely something like below is enabled on your system and
DNSSEC for gnu.org seems to be fucked up
No, what is fucked up is gnu.org's nameservers *themselves*. Two out of
four nameservers (ns{1..4}.gnu.org) are completely down at the moment. So
the SERVFAIL most likely just indicates that `resolved` gave up waiting for
a reply -- it doesn't necessarily mean a validation failure.

I'm not sure what the official retry rules are -- I'd expect the resolver
to keep trying until it finds a working nameserver, instead of giving up
mid-way. But instead, I have seen the same behavior with Unbound as well --
it would give up and return SERVFAIL after trying just one or two
nameservers.
--
Mantas Mikulėnas
D Gilmore
2017-12-21 03:20:48 UTC
Permalink
Thank you for the information about gnu.org nameservers being down. I am so grateful for that advice. Sorry if it's not really a technical matter but it is so frustrating on forums that give such bad suggests. You get lost in that maze for hours without someone with real technical know how helping you.
Loading...