On 29.01.2013 03:24, Mark Andrews wrote:
In message <[email protected]>, Olafur Gudmundsson
writes:
Looks like they are doing DNSSEC correctly but still not supporting DNAME
So by definition they are *not* supporting DNSSEC and DNAME support is
manditory for DNSSEC.
Oh. That could be a problem. I hadn't noticed yet that DNAME resolution
fails for signed zones if DO=1:
Unbound and BIND get it right:
dig +dnssec _xmpp-server._tcp.jabber.openchaos.org srv @149.20.64.21
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49710
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 2
;; ANSWER SECTION:
jabber.openchaos.org. 179 IN DNAME jabber.i-pobox.net.
_xmpp-server._tcp.jabber.openchaos.org. 0 IN CNAME
_xmpp-server._tcp.jabber.i-pobox.net.
[...]
DO=1 queries to Google's DNS fail:
dig +dnssec _xmpp-server._tcp.jabber.openchaos.org srv @8.8.8.8
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1842
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Without DO, it works:
dig _xmpp-server._tcp.jabber.openchaos.org srv @8.8.8.8
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61361
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; ANSWER SECTION:
_xmpp-server._tcp.jabber.openchaos.org. 0 IN CNAME
_xmpp-server._tcp.jabber.i-pobox.net.
[...]
*grumble*
Hauke.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
