Re: SERVFAIL from validating nameservers for advocaat.pro advocaten.pro
On Feb 6 2009, Mark Andrews wrote: In message prayer.1.3.1.0902051754210.4...@hermes-2.csi.cam.ac.uk, Chris Thompson writes: [...] More info about the not consistently bit. With nothing about them in the cache (rndc flushname advocaat.pro) looking up SOA or NS records for them gives SERVFAIL. But looking up A records does not, and after that SOA and NS lookups work OK as well. Hmmm... The TLD lies. DNSSEC is doing exactly what it is supposed to do and is blocking ibad answers. Mark ; DiG 9.3.6-P1 advocaat.pro soa @c.gtld.pro +dnssec ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 29667 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;advocaat.pro. IN SOA ;; AUTHORITY SECTION: pro. 14400 IN SOA a.gtld.pro. hostmaster.registrypro.pro. 2009020518 28800 7200 604800 300 Ah, yes -- many thanks for the elucidation. Indeed, looking up SOA for advocaat.pro via a non-validating nameserver (without it having already discovered the NS records for it) believes this crap and reports it back to the caller. The nameservers for pro seem to have some very odd bugs: * asked about the SOA for a sub-zone, they authoritatively deny its existence, as above. * asked about NS records for a sub-zone, they return the delegation set as the _answer_. That's also true of the *.gtld-servers.net lot, but these are worse, because unlike them they claim the answer is authoritative. * even when they do give a referral, it is marked authoritative. One hardly dares to ask how they achieve all this ... -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL from validating nameservers for advocaat.pro advocaten.pro
On Feb 5 2009, I wrote: DLV records for advocaat.pro advocaten.pro are among the recent additions to dlv.isc.org. Using validating recursive nameservers running BIND 9.5.1-P1 (configured to trust dlv.isc.org), I get SERVFAILs looking things up in them, although not consistently. This doesn't happen with non-validating nameservers. I can't work out what is wrong with them. Does anyone else see the same effect? More info about the not consistently bit. With nothing about them in the cache (rndc flushname advocaat.pro) looking up SOA or NS records for them gives SERVFAIL. But looking up A records does not, and after that SOA and NS lookups work OK as well. Hmmm... -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL from validating nameservers for advocaat.pro advocaten.pro
In message prayer.1.3.1.0902051754210.4...@hermes-2.csi.cam.ac.uk, Chris Thompson writes: On Feb 5 2009, I wrote: DLV records for advocaat.pro advocaten.pro are among the recent additions to dlv.isc.org. Using validating recursive nameservers running BIND 9.5.1-P1 (configured to trust dlv.isc.org), I get SERVFAILs looking things up in them, although not consistently. This doesn't happen with non-validating nameservers. I can't work out what is wrong with them. Does anyone else see the same effect? More info about the not consistently bit. With nothing about them in the cache (rndc flushname advocaat.pro) looking up SOA or NS records for them gives SERVFAIL. But looking up A records does not, and after that SOA and NS lookups work OK as well. Hmmm... The TLD lies. DNSSEC is doing exactly what it is supposed to do and is blocking ibad answers. Mark ; DiG 9.3.6-P1 advocaat.pro soa @c.gtld.pro +dnssec ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 29667 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;advocaat.pro. IN SOA ;; AUTHORITY SECTION: pro.14400 IN SOA a.gtld.pro. hostmaster.registrypro.pro. 2009020518 28800 7200 604800 300 ;; Query time: 186 msec ;; SERVER: 192.149.64.10#53(192.149.64.10) ;; WHEN: Fri Feb 6 11:45:31 2009 ;; MSG SIZE rcvd: 96 -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users