Tony Finch <d...@dotat.at> wrote: > I have a couple of recursive servers running 9.10.3-P2 which are > intermittently returning SERVFAIL responses for queries under > a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa. This domain is in dlv.isc.org; its > parent is unsigned but seems to be DNSSEC-aware - the servers set DO and > give the correct authority for DS nodata responses. > > http://dnsviz.net/d/a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/dnssec/
After turning on lame-servers logging I get the following which basically confirms what I already worked out but doesn't really explain why the validator thinks that a broken chain of trust is such a disaster. Also, why is it trying to get address records for a reverse DNS name? 23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving 'a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/DS/IN': 94.126.40.2#53 23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/AAAA/IN': 2a01:8000:1ffa:f003:bc9d:1dff:fe9b:7466#53 23-Dec-2015 13:20:54.398 lame-servers: info: broken trust chain resolving '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/A/IN': 217.168.153.95#53 Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Fair Isle, Southeast Faeroes: Southwesterly veering southerly for a time, 7 to severe gale 9, increasing storm 10 or violent storm 11 later. Very rough or high, becoming high or very high later. Rain or squally showers. Moderate or good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
