Niobos wrote: > When requesting a lookup of "removed", I get a SERVFAIL as well. However, > every subsequent request for "removed" gets an NXDOMAIN. (dig outputs below) > Flushing the caches on the RR with "rndc flush" causes the first request to > be a SERVFAIL again.
I cannot reproduce this behaviour with BIND 9.7.0b3. I get a SERVFAIL for all lookups to changed/removed records. Maybe you can try these with 9.6.1-P1: dig +dnssec normal.fnord.dnstest.hauke-lampe.de should return 127.0.0.1 and the AD flag (if you use DLV with either dlv.isc.org or dnssec.iks-jena.de). dig +dnssec changed.fnord.dnstest.hauke-lampe.de should return SERVFAIL and log "error (no valid RRSIG)" for the A record. dig +dnssec removed.fnord.dnstest.hauke-lampe.de should return SERVFAIL and log validation failures for the SOA as well as the A record (because removing the record disrupted the NSEC3 chain). Hauke.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users