Hi, Dig returns SERVFAIL while trying to resolve a dnssec enabled zone without DS record in parent zone. For example, I have these two DNSSEC enabled zones: domain.com subdomain.domain.com
domain.com zone has NO DS record for subdomain.domain.com zone, and subdomain.domain.com has an A record for the zone, and an A record for www . If I query subdomain.domain.com , I get SERVFAIL from dig and these log messages: 03-Oct-2011 11:03:07.893 validating @0x7f9ea305b2d0: domain.com SOA: no valid signature found 03-Oct-2011 11:03:07.894 createfetch: domain.com DS 03-Oct-2011 11:03:07.894 validating @0x7f9ea305df70: domain.com NSEC: no valid signature found 03-Oct-2011 11:03:07.895 createfetch: domain.com DS 03-Oct-2011 11:03:07.896 error (broken trust chain) resolving 'subdomain.domain.com/DNSKEY/IN': x.x.x.x#53 03-Oct-2011 11:03:07.896 error (broken trust chain) resolving 'subdomain.domain.com/A/IN': x.x.x.x#53 If I run the query again, I get NXDOMAIN (from cache). So I can't query subdomain.domain.com zone. Now, if I query www.subdomain.domain.com I get the same, but when I run the query again I get a valid answer (from cache). I know the DS is not configured properly and so DNSSEC shouldn't work, but bind shouldn't behave like this. If the zone is not configured properly, bind should query it anyway, the same way it does when the zone isn't signed. I didn't find any related bugs. Is this a known bug? Btw, I'm using bind 9.7.3 from debian 6.0.2. Thanks. -- Sergio Roberto Charpinel Jr. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
