On Tue, Sep 04, 2012 at 01:57:20PM -0700, Wessels, Duane <[email protected]> wrote a message of 36 lines which said:
> <a href="http://prefetch.validatorsearch.verisignlabs.com";></a> On my machines, I can resolve the name with BIND but not with Unbound (SERVFAIL, even with ). On OARC's ODVR both BIND and Unbound work. With my Unbound, validation fails, but I can get data with +cd: % dig +cd A prefetch.validatorsearch.verisignlabs.com ; <<>> DiG 9.8.1-P1 <<>> +cd A prefetch.validatorsearch.verisignlabs.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43366 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;prefetch.validatorsearch.verisignlabs.com. IN A ;; ANSWER SECTION: prefetch.validatorsearch.verisignlabs.com. 604500 IN A 127.0.0.1 ;; AUTHORITY SECTION: validatorsearch.verisignlabs.com. 3296 IN NS vfns2.verisignlabs.com. validatorsearch.verisignlabs.com. 3296 IN NS vfns1.verisignlabs.com. validatorsearch.verisignlabs.com. 3296 IN RRSIG NS 5 3 3600 20120906203607 20120807203607 58962 validatorsearch.verisignlabs.com. rWe8hzHOfLmi/NwT7LC64sL2LqjtIgPS1bDL6o6/PYlkgBpBDzEprYlL kJM/d3KsJzpvSwfcK1KFoDk7mwKdNED5Z3QCSnRrt2qlYD1H1KgOAeFX CciD380ZV7Qsn+UbpygdmGja6wTHqNAyiRgX7DIuMNjxytkT5xI0UluS v1U= ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Wed Sep 5 10:36:57 2012 ;; MSG SIZE rcvd: 318 The log says: Sep 5 10:31:53 batilda unbound: [1976:0] info: iterator operate: query validatorsearch.verisignlabs.com. AAAA IN Sep 5 10:31:53 batilda unbound: [1976:0] info: processQueryTargets: validatorsearch.verisignlabs.com. AAAA IN Sep 5 10:31:53 batilda unbound: [1976:0] debug: cache memory msg=4456279 rrset=4456090 infra=2550870 val=1090917 Sep 5 10:31:53 batilda unbound: [1976:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply Sep 5 10:31:53 batilda unbound: [1976:0] info: iterator operate: query validatorsearch.verisignlabs.com. AAAA IN Sep 5 10:31:53 batilda unbound: [1976:0] info: sanitize: removing overreaching NSEC RRset: validatorsearch.verisignlabs. com. NSEC IN Sep 5 10:31:53 batilda unbound: [1976:0] info: response for validatorsearch.verisignlabs.com. AAAA IN Sep 5 10:31:53 batilda unbound: [1976:0] info: reply from <validatorsearch.verisignlabs.com.> 72.13.58.101#53 Sep 5 10:31:53 batilda unbound: [1976:0] info: query response was DNSSEC LAME My analysis: the NSEC is not signed. It is surprising that BIND acceps that: % dig +dnssec @vfns1.verisignlabs.com. AAAA prefetch.validatorsearch.verisignlabs.com ; <<>> DiG 9.7.3 <<>> @vfns1.verisignlabs.com. AAAA prefetch.validatorsearch.verisignlabs.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10966 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;prefetch.validatorsearch.verisignlabs.com. IN AAAA ;; AUTHORITY SECTION: validatorsearch.verisignlabs.com. 3600 IN SOA vfns1.verisignlabs.com. root.packet-pushers.com. 2012080700 3600 300 604800 3600 prefetch.validatorsearch.verisignlabs.com. 3600 IN NSEC validatorsearch.verisignlabs.com. A RRSIG NSEC ;; Query time: 92 msec ;; SERVER: 72.13.58.100#53(72.13.58.100) ;; WHEN: Wed Sep 5 10:39:31 2012 ;; MSG SIZE rcvd: 154 _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
