Hi Danilo, there’s a misconfiguration on the verisigndns.com side (already reported to Verisign), where ftp.rs.verisigndns.com is delegated (e.g. there’s the zonecut), but the child servers are configured as authoritative for rs.verisigndns.com. If there was just a query for A record, it wouldn’t matter, but AAAA query is triggering NODATA response which triggers the detection of mismatched SOA.
named correctly detects the misconfiguration and returns the SERVFAIL for the AAAA query. Cheers, Ondrej -- Ondřej Surý (He/Him) ond...@isc.org > On 16. 9. 2021, at 11:42, Danilo Godec via bind-users > <bind-users@lists.isc.org> wrote: > > Hello, > > > > I recently stumbled upon a problem trying to update my root hints file from > ftp.rs.internic.net. For some reason, one of my DNS servers running on Alpine > Linux, can't resolve this name properly and always fails: > > # ping ftp.rs.internic.net > > ping: > ftp.rs.internic.net > : Try again > > > nslookup starts off fine, it prints the A record, but then it fails to: > # nslookup ftp.rs.internic.net > > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > Non-authoritative answer: > > ftp.rs.internic.net canonical name = ftp.rs.verisigndns.com > . > Name: > ftp.rs.verisigndns.com > > Address: 69.58.179.79 > ** server can't find > ftp.rs.verisigndns.com > : SERVFAIL > > > > It seems the problem is with AAAA records, as apparently musl libc tries to > resolve both A and AAAA record and fails if either of them are not available. > Unfortunately, I couldn't find a way to configure the musl resolver not to > try AAAA records. > > Digging a bit deeper I found out that these queries cause BIND to log errors: > > named[12737]: DNS format error from 185.100.2.22#53 resolving > ftp.rs.verisigndns.com/AAAA for 127.0.0.1#39521: Name rs.verisigndns.com > (SOA) not subdomain of zone ftp.rs.verisigndns.com > -- invalid response > named[12737]: DNS format error from 72.13.39.22#53 resolving > ftp.rs.verisigndns.com/AAAA for 127.0.0.1#39521: Name rs.verisigndns.com > (SOA) not subdomain of zone ftp.rs.verisigndns.com > -- invalid response > named[12737]: DNS format error from 69.36.158.22#53 resolving > ftp.rs.verisigndns.com/AAAA for 127.0.0.1#39521: Name rs.verisigndns.com > (SOA) not subdomain of zone ftp.rs.verisigndns.com > -- invalid response > named[12737]: DNS format error from 199.16.87.22#53 resolving > ftp.rs.verisigndns.com/AAAA for 127.0.0.1#39521: Name rs.verisigndns.com > (SOA) not subdomain of zone ftp.rs.verisigndns.com > -- invalid response > > > > However, if I point the system resolver (or nslookup) to some other DNS (my > ISP's DNS, for examle), neither ping or nslookup fail. > > > > Is there anything I can do on my BIND to make musl libc happy and not fail in > such a case? > > > > Thanks, > > Danilo > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
