On 01.10.2011 02:48, Jeff Reasoner wrote: > Hmm, I see an A record using the same query: > [foo@dns1 ~]$ dig +dnssec extended.nau.edu a
I get a SERVFAIL response for the first query and NXDOMAIN for subsequent request: named: client 127.0.0.1#54707: query: extended.nau.edu IN A +ED (127.0.0.1) named: createfetch: extended.nau.edu A named: createfetch: extended.nau.edu DNSKEY named: createfetch: extended.nau.edu DS named: createfetch: nau.edu DNSKEY named: createfetch: nau.edu DS named: createfetch: edu DNSKEY named: createfetch: nau.edu.dlv.isc.org DLV named: validating @0x7f36f7f17680: nau.edu SOA: no valid signature found named: validating @0x7f36f7eed410: nau.edu NSEC: no valid signature found named: validating @0x7f36f7eed410: ewb.nau.edu NSEC: no valid signature found named: error (broken trust chain) resolving 'extended.nau.edu/DNSKEY/IN': 134.114.138.3#53 named: error (broken trust chain) resolving 'extended.nau.edu/A/IN': 134.114.96.4#53 named: client 127.0.0.1#54707: query failed (SERVFAIL) for extended.nau.edu/IN/A at query.c:6302 named: client 127.0.0.1#55872: query: extended.nau.edu IN A +ED (127.0.0.1) Unbound resolves the record on the first try. Aside from the missing DS, I don't see why BIND complains about the NXDOMAIN response at first and then returns that cached record set in response to later queries for the same name. dig +sigchase validates it, if provided with the nau.edu DNSKEY: > nau.edu. 86400 IN SOA ns3.nau.edu. > DNS-Contact.nau.edu. 4779 1800 900 604800 86400 > nau.edu. 86400 IN RRSIG SOA 5 2 86400 20111030191258 > 20110930181258 7485 nau.edu. > xoY5c8d+UnJfXA0ZZDv2Zz5tht4ZspTOeGvEGcQr+XIOMH39krpWR6T9 > fUy5O/XnURz5nDGWR4QIKQMgAu+qfyGzA9Yzb5S5CkAWd4IDjKmznrXI > G3beth9Dcr/fJxusMxGuhZWZftQBrHBn14Wqx8YKOOIwQZx/PSm8XONA tHc= > nau.edu. 86400 IN NSEC _tcp.nau.edu. A NS SOA MX TXT > RRSIG NSEC DNSKEY TYPE65534 > nau.edu. 86400 IN RRSIG NSEC 5 2 86400 20111020001752 > 20110919233312 7485 nau.edu. > GizWBgmH1B7n0TuBjRgUEiu0XOCvrncyKR1iSSWJIrWKn4aZ9djBazdP > /JEWGY73IIZ4j/i3yO6MSw1gJRe0ane3lZjpHFnFdaPPEcYHVWy3h7Zk > UccnBd0ggkkLrHoG/CbRoVrF+90CDJymeAnYcWDycKQW84cNibj/tXxb CRk= > ewb.nau.edu. 86400 IN NSEC facdevnet.nau.edu. CNAME RRSIG > NSEC > ewb.nau.edu. 86400 IN RRSIG NSEC 5 3 86400 20111019222812 > 20110919220129 7485 nau.edu. > SfCIx42kzjbTV5sDH/OwIKGRRxfJaM8EgaX74/RbD+BJjJhP7o28dR1U > VHRuO6arK8FXF0vCIZ5lpqaWFRkaCwEftrjX3ktdWUNfhRlD9qqHF+cV > 00icFXkasql9f8Yk9XgTeZ63CkH/8H9acjTuVlunqZDL1CVtaKTJfKKq uMs= > ;; Received 710 bytes from 134.114.96.4#53(134.114.96.4) in 189 ms Hauke.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users