I have a couple of recursive servers running 9.10.3-P2 which are intermittently returning SERVFAIL responses for queries under a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa. This domain is in dlv.isc.org; its parent is unsigned but seems to be DNSSEC-aware - the servers set DO and give the correct authority for DS nodata responses.
http://dnsviz.net/d/a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/dnssec/ One of my servers is currently in the broken state. named_dump.db has ; Bad cache ; ; a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/DS [ttl 429219] The TTL here is misleading - unlike other TTLs it is in milliseconds, so it is more reasonable than it appears to be. Based on reading the code, I think there are two ways for entries to get into the bad cache: either the nameservers have no addresses or there is a problem with the trust chain. I think the following cache entries rule the first one out: ; glue ns0.ai270.NET. 26445 A 94.126.40.2 ; glue ns1.ai270.NET. 26445 A 213.133.150.9 In the second case the name server addresses get added to a bad list. Ah, but I have turned off lame server logging so I don't have a copy of the relevant log line; I shall change that. Anyone have any more clues about what might be going wrong? Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Malin, Hebrides: South or southwest 7 to severe gale 9, occasionally storm 10 later. Very rough or high, occasionally very high later. Rain or showers. Moderate, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
