DNS query failed if I turned on DNSSec

Summary

Dear, sir

I repeatedly encounter this issue. I use my BIND 9 DNS service as a resolver only and it does not provider DNS hosting service.

However, if I turned on the DNSSec query function in the configuration file, after some time of working (several days to nearly two weeks), the DNS resolving service will fail.

Once I restarted the BIND9 service, DNS resolving function gets back to normal. But later for a duration (days to weeks), it stops to working again.

I enabled the DNSSec querying function by this two lines in the ./bind/named.conf.options file.

dnssec-enable yes;
dnssec-validation auto;

Error output

aaa@bbb:~$ nslookup baidu.com Server: 127.0.0.53 Address: 127.0.0.53#53

** server can't find baidu.com: SERVFAIL

BIND version used

bind9: Installed: 1:9.11.3+dfsg-1ubuntu1.8 Candidate: 1:9.11.3+dfsg-1ubuntu1.9

Notice

My named.conf.options settings is published at Github here, https://github.com/TomHsiung/bind/blob/master/named.conf.options