Re: Occasional SERVFAILs from "dig NS iq."
I have reported this problem to bind9-bugs [ISC bug #34839]. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Occasional SERVFAILs from "dig NS iq."
On Sep 24 2013, Tony Finch wrote: Chris Thompson wrote: I have noticed that I get occasional (fast) SERVFAIL responses from "dig NS iq.", e.g. "iq" is partially signed, in the sense that some of its nameservers deliver a signed version, and some an unsigned one, but I don't see how that leads to the effect observed. It seems to happen when named gets a signed NS response then gets NODATA when it asks for the DNSKEY RRset. If it gets an unsigned NS response it is happy; if it gets signed NS and DNSKEY responses it is happy. Yes, that seems to be right. But that's a bug, because absence of DNSKEY records is not an error unless the zone is in the must-be-signed state. BIND should go into "in that case I must prove the zone not required to be signed" mode (top-down rather than bottom-up). Quite a number of TLDs have been deploying DNSSEC in the same ultra-cautious way as "iq" recently. I am surprised this bug hasn't drawn itself to our attention before now. It surely can't have been there in the 2010 DURZ era, when some root zone servers were serving (fake) signed versions and some unsigned ones. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Occasional SERVFAILs from "dig NS iq."
Chris Thompson wrote: > I have noticed that I get occasional (fast) SERVFAIL responses from > "dig NS iq.", e.g. > > "iq" is partially signed, in the sense that some of its nameservers > deliver a signed version, and some an unsigned one, but I don't see > how that leads to the effect observed. It seems to happen when named gets a signed NS response then gets NODATA when it asks for the DNSKEY RRset. If it gets an unsigned NS response it is happy; if it gets signed NS and DNSKEY responses it is happy. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Occasional SERVFAILs from "dig NS iq."
I have noticed that I get occasional (fast) SERVFAIL responses from "dig NS iq.", e.g. $ dig ns iq. ; <<>> DiG 9.9.4 <<>> ns iq. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7919 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;iq.IN NS ;; Query time: 413 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Sep 24 15:06:55 BST 2013 ;; MSG SIZE rcvd: 31 but that trying again immediately gives the right result: $ dig ns iq. ; <<>> DiG 9.9.4 <<>> ns iq. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60361 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 7 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;iq.IN NS ;; ANSWER SECTION: iq. 86400 IN NS nsp-anycast.cmc.iq. iq. 86400 IN NS sns-pb.isc.org. iq. 86400 IN NS ns1.cmc.iq. iq. 86400 IN NS iq.dns.cocca.org.nz. ;; ADDITIONAL SECTION: iq.dns.cocca.org.nz.172798 IN A 203.119.84.235 ns1.cmc.iq. 172798 IN A 194.117.57.100 sns-pb.isc.org. 74136 IN A 192.5.4.1 sns-pb.isc.org. 74136 IN 2001:500:2e::1 nsp-anycast.cmc.iq. 172798 IN A 194.117.58.42 nsp-anycast.cmc.iq. 172798 IN 2001:500:14:8001:ad::42 ;; Query time: 33 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Sep 24 15:06:57 BST 2013 ;; MSG SIZE rcvd: 260 The nameserver at 127.0.0.1 is running BIND 9.9.4 (the same effect was observed with beta and rc versions earlier, and I can provoke it with 9.9.3-P2 on another server as well). "iq" is partially signed, in the sense that some of its nameservers deliver a signed version, and some an unsigned one, but I don't see how that leads to the effect observed. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
