At the DNS in ipfire was previously only the IP “46.182.19.48” of “Digitalcourage e.V.” deposited. In the middle of the day I could no longer call up websites and suspected the DNS. In the web console the status was now “broken” at “Domain Name System” and the message “Reverse Lookup failed”.
Out of previous problems I had added more DNS servers as a test and deactivated the old entry. Now the web access or the DNS resolution worked. But calling the ipfire community or logging in still failed and I had to create this entry here over the net my company.
||Line 84302: Jun 16 23:16:14 router unbound: [2714:0] error: SERVFAIL <pakfire.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .|
|---|---|
||Line 84320: Jun 16 23:16:29 router unbound: [2714:0] error: SERVFAIL <mirror1.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .|
||Line 84690: Jun 16 23:36:22 router unbound: [2714:0] info: generate keytag query _ta-4a5c-4f66. NULL IN|
||Line 84984: Jun 16 23:54:07 router unbound: [2714:0] info: generate keytag query _ta-4a5c-4f66. NULL IN|
||Line 85641: Jun 17 00:39:41 router unbound: [2714:0] info: generate keytag query _ta-4a5c-4f66. NULL IN|
||Line 86062: Jun 17 01:10:00 router unbound: [2714:0] info: generate keytag query _ta-4a5c-4f66. NULL IN|
||Line 86636: Jun 17 01:41:22 router unbound: [2714:0] info: generate keytag query _ta-4a5c-4f66. NULL IN|
||Line 89340: Jun 17 04:53:59 router unbound: [2714:0] error: SERVFAIL <fireinfo.ipfire.org. AAAA IN>: all the configured stub or forward servers failed, at zone .|
||Line 89341: Jun 17 04:53:59 router unbound: [2714:0] error: SERVFAIL <fireinfo.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .|
||Line 91373: Jun 17 07:18:41 router unbound: [2714:0] info: validation failure <config.nos-avg.cz. TXT IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91374: Jun 17 07:18:41 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91375: Jun 17 07:18:41 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91387: Jun 17 07:19:35 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91388: Jun 17 07:19:35 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91454: Jun 17 07:23:27 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91455: Jun 17 07:23:27 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91475: Jun 17 07:24:21 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91476: Jun 17 07:24:21 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91549: Jun 17 07:28:16 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91550: Jun 17 07:28:16 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91575: Jun 17 07:29:10 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91576: Jun 17 07:29:10 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91617: Jun 17 07:33:05 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91618: Jun 17 07:33:05 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91638: Jun 17 07:34:00 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91639: Jun 17 07:34:00 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91703: Jun 17 07:37:55 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91704: Jun 17 07:37:55 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91731: Jun 17 07:38:49 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: key for validation nos-avg.cz. is marked as invalid|
I am not very knowledgeable on this at all, just trying stuff that I have used in the past after seeing it being used by others on this forum.
The “validation failure” message seems to be related to having problems confirming the DNSSEC status.
The “SERVFAIL” message is where it is having trouble getting a DNS response back when trying to connect to pakfire.ipfire.org so there appears to be a problem accessing the cloudflare DNS servers.
Try the following kdig command to see what comes back from cloudflare. Hopefully it is correct as I normally use it for DNS over TLS server connections so I have modified it to use udp (default) as that is what your connection is set up for.
This should tell us how far the DNS connection is getting. This needs to be run when you still get the overall defekt status being shown on your DNS WUI page
Although they will probably eventually shut this server down as they did for dns.digitalcourage.de it is still working at the moment so this is more just for information.
With this, the DNS works for me again and actually he now uses the DNS servers from my ISP even if I do not find that good. I can now also access the ipfire forum from home again, which did not work permanently with the previous DNS servers.
I don’t really understand what is happening but if it works then you are in operation and getting input from more experienced members is not so urgent. Hopefully other people can recognise what the underlying root cause is.