Re: Dig ANY gives SERVFAIL / FORMERR
In message , Paul Wou ters writes: > On Wed, 30 Sep 2009, Mark Andrews wrote: > > >> http://www.afnic.fr/outils/zonecheck/_en > > > > The key word is "required". I know some do, I just wish more did. > > I for one, welcome our new named-checkzone overlords. > > (especially if named-checkzone would fail to OK a zone with NSEC3RSASHA1 keys > and re-used NSEC records :) NSEC3RSASHA1 w/ NSEC is fine and is required if you want to transition from RSASHA1 (w/ NSEC) to NSEC3RSASHA1 w/ NSEC3 w/o going insecure. NSEC + NSEC3PARAM however could be rejected as could having multiple NSEC3PARAM records. > Paul Not named-checkzone (yet) but the following are in BIND 9.6.2. 2686. [bug] dnssec-signzone should clean the old NSEC chain when signing with NSEC3 and vice versa. [RT #20301] 2683. [bug] dnssec-signzone should clean out old NSEC3 chains when the NSEC3 parameters used to sign the zone change. [RT #20246] dnssec-signzone works on the zone as a whole so it is in the position to do this in a straight forward manner. Named, however, needs to support multiple NSEC3 chains (though not all may be complete) as it does its work incrementally but perhaps it could be argued that when you finish adding new NSEC3 chain incrementally the old one should be removed. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
On Wed, 30 Sep 2009, Mark Andrews wrote: http://www.afnic.fr/outils/zonecheck/_en The key word is "required". I know some do, I just wish more did. I for one, welcome our new named-checkzone overlords. (especially if named-checkzone would fail to OK a zone with NSEC3RSASHA1 keys and re-used NSEC records :) Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
In message <20090929122845.ga13...@nic.fr>, Stephane Bortzmeyer writes: > On Thu, Sep 24, 2009 at 07:16:35AM +1000, > Mark Andrews wrote > a message of 77 lines which said: > > > It's a pity registries are not required to verify correct operation > > of the nameservers they are delegating to before accepting the > > delegation. > > Some do! > > http://www.afnic.fr/outils/zonecheck/_en The key word is "required". I know some do, I just wish more did. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
On Thu, Sep 24, 2009 at 07:16:35AM +1000, Mark Andrews wrote a message of 77 lines which said: > It's a pity registries are not required to verify correct operation > of the nameservers they are delegating to before accepting the > delegation. Some do! http://www.afnic.fr/outils/zonecheck/_en ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
In message , "Jeremy C. Re ed" writes: > > It looks like that the authoritative name server for youbei.cc > > actually did return some answers, but somehow bind gave a FORMERR for > > some unknown reasons, which I think it caused a SERVFAIL to be > > reported in turn. Interestingly, dig any youbei.cc +trace ran > > successfully and did not report any error. > > > > Does anyone know what might have caused this problem? > > My custom named logs: > > 23-Sep-2009 15:00:29.749 resolver: notice: FORMERR: Type didn't match (ANY != > A) > 23-Sep-2009 15:00:29.770 resolver: notice: FORMERR: Reply has no answer. > > named wants to know "Is the question the same as the one we asked?" > > I think 72dns.com has a broken DNS server. More modern versions of dig will also report the mismatch. The servers also answers queries with A records. It's a pity registries are not required to verify correct operation of the nameservers they are delegating to before accepting the delegation. If they were then a lot of this garbage would cease. It really isn't hard for a registry (or the registrar on behalf of the registry) to check that servers answer queries correctly. Just the almighty dollar has got in front of having a working system. Mark % dig any youbei.cc @ns1.72dns.com ;; Question section mismatch: got youbei.cc/A/IN ;; Question section mismatch: got youbei.cc/A/IN ;; Question section mismatch: got youbei.cc/A/IN ; <<>> DiG 9.7.0a2 <<>> any youbei.cc @ns1.72dns.com ;; global options: +cmd ;; connection timed out; no servers could be reached % % dig youbei.cc @ns1.72dns.com ; <<>> DiG 9.3.6-P1 <<>> youbei.cc @ns1.72dns.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5189 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;youbei.cc. IN ;; ANSWER SECTION: youbei.cc. 3600IN A 211.155.230.241 ;; Query time: 436 msec ;; SERVER: 121.12.173.174#53(121.12.173.174) ;; WHEN: Thu Sep 24 07:07:46 2009 ;; MSG SIZE rcvd: 52 % > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
> It looks like that the authoritative name server for youbei.cc > actually did return some answers, but somehow bind gave a FORMERR for > some unknown reasons, which I think it caused a SERVFAIL to be > reported in turn. Interestingly, dig any youbei.cc +trace ran > successfully and did not report any error. > > Does anyone know what might have caused this problem? My custom named logs: 23-Sep-2009 15:00:29.749 resolver: notice: FORMERR: Type didn't match (ANY != A) 23-Sep-2009 15:00:29.770 resolver: notice: FORMERR: Reply has no answer. named wants to know "Is the question the same as the one we asked?" I think 72dns.com has a broken DNS server. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
