Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

Wed, 14 Apr 2010 17:04:33 -0700 

On 04/14/10 16:28, Roy Badami wrote:

Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and
I've seen no repeat of the DNSSEC name resolution issues so far; it's
early days yet (only been running DLV for three days) but certainly
looking promissing.


I spoke too soon.  I've now found a query that (at least this evening)
is consistently failing for me, even if I restart BIND.

The following query gives me SERVFAIL

        dig www.bbc.net.uk aaaa

But the following two queries work:

        dig www.bbc.net.uk a
        dig www.bbc.net.uk aaaa +cd



How does the last query "work"?  I consistently get a NOERROR using 
unbound as a validating resolver, and that's also what I get when 
querying the authoritative nameservers for bbc.net.uk.


I am easily able to replicate your results on my set-up.


I also get the following log from BIND: 14-Apr-2010 16:33:14.953 error 
(broken trust chain) resolving 'www.bbc.net.uk/AAAA/IN': 212.58.224.20#53



This is particularly odd, because there is absolutely no DNSSEC
involved here.  No domain above www.bbc.net.uk appears to be in the
DLV registry, and BIND must be able to successfully verify the
covering NSEC record that proves that in order to be willing to
resolve the A query above.  So I can't immediately see any way this
situation could arise except due to a BIND bug.

Anyone else have an IPv6-connected BIND 9.7.0-P1 host with DLV enabled
they can try this query on?



The authoritative DNS servers for bbc.net.uk appear to be kind of 
broken, in that they don't return authoritative NS records for 
bbc.net.uk, even when queried.  They do return an SOA record.  I think 
some of the goofiness may be due to that lack of authority records. 
Note that an authoritative BIND server will generally refuse to load a 
zone without NS records.


Also:

> dig any bbc.net.uk @ns0.rbsov.bbc.co.uk

; <<>> DiG 9.7.0-P1 <<>> any bbc.net.uk @ns0.rbsov.bbc.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32624
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;bbc.net.uk.                    IN      ANY

;; ANSWER SECTION:

bbc.net.uk.             3600    IN      TXT     "BBC Intelligent Load 
Balancing Domain"
bbc.net.uk.             3600    IN      SOA     ns0e.rbsov.bbc.co.uk. 
bofh.bbc.co.uk. 1271235700 86400 86400 86400 300


;; Query time: 141 msec
;; SERVER: 212.58.227.47#53(212.58.227.47)
;; WHEN: Wed Apr 14 16:45:09 2010
;; MSG SIZE  rcvd: 148


Obviously, in addition to the lack of NS records, there are serious 
errors in the TXT record above, since the word "Intelligent" clearly 
does not belong there.


michael
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users























					Reply via email to