Niobos wrote: > As soon as I activate DLV (besides the manual SEP I entered), the "removed" > behaviour changes: > * First lookup still returns SERVFAIL > * Subsequent lookups now return NXDOMAIN with the AD flag *set*! (log > confirms that my domain is not in the DLV and hence is insecure)
That is weird. I haven't seen that before and have no good explanation at hand. > Could you try this lookup? > dig +dnssec removed.dnssec.dest-unreach.be I see now what you mean. Even though I have added your DNSKEY as trusted key, I get SERVFAIL on the first query and NXDOMAIN on the second, without BIND doing any additional outgoing queries. One of your name servers returns unsigned NXDOMAIN responses with a higher serial number than the master server: | $ dig +dnssec removed.dnssec.dest-unreach.be @sdns1.ovh.net. | | ;; Got answer: | ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32510 | ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 | ;; WARNING: recursion requested but not available | | ;; OPT PSEUDOSECTION: | ; EDNS: version: 0, flags: do; udp: 4096 | ;; QUESTION SECTION: | ;removed.dnssec.dest-unreach.be. IN A | | ;; AUTHORITY SECTION: | dest-unreach.be. 3600 IN SOA serv02.imset.org. hostmaster.dest-unreach.be. 2009111619 3600 3600 604800 3600 serv02.imset.org returns a signed NXDOMAIN response with serial 2009081781. That corresponds to BIND's error message: | error (insecurity proof failed) resolving 'removed.dnssec.dest-unreach.be/A/IN': 213.251.188.140#53 > Could the problem be that the authenticating RR somehow considers this domain > to be insecure when looking up "removed"? That might well be the case, although I would expect BIND not to return unsigned queries for names below a manually configured trust anchor. Maybe others have an idea what's happening here and why BIND returns NXDOMAIN responses. Hauke. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
