Re: Re: intermittent SERVFAIL with a DLV domain

2015-12-24 Thread Timothe Litt 
On 23-Dec-15 08:34, Tony Finch wrote:
> Tony Finch  wrote:
>
> Also, why is it trying to get address records for a reverse DNS name? 

An ip6.arpa or in-addra.arpa zone is not restricted to PTR records. 
There's nothing special about 'reverse zones'.

dnsviz uses some heuristics to guess what records are worth looking for.

A while ago I asked Casey to have DNSVIZ check for more than PTR+DNSSEC
records in reverse zones, which he did.
There's a panel in dnsviz where you can change what it looks for if you
want more (or less).

A/ records are used in reverse zones by an obscure RFC (1101
encoding of subnet masks), and by others for similar purposes.

(It shouldn't be surprising that CNAME, TXT, RP, LOC and DNSSEC-related
records can be in reverse zones too.)

dnsviz launches its queries in parallel, so asking for a few extra
records doesn't hurt anyone.


> 23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving 
> 'a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/DS/IN': 94.126.40.2#53
> 23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving 
> '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa//IN':
>  2a01:8000:1ffa:f003:bc9d:1dff:fe9b:7466#53
> 23-Dec-2015 13:20:54.398 lame-servers: info: broken trust chain resolving 
> '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/A/IN':
>  217.168.153.95#53
>
> Tony.

Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 




smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL with a DLV domain

2015-12-23 Thread Tony Finch 
Tony Finch  wrote:

> I have a couple of recursive servers running 9.10.3-P2 which are
> intermittently returning SERVFAIL responses for queries under
> a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa. This domain is in dlv.isc.org; its
> parent is unsigned but seems to be DNSSEC-aware - the servers set DO and
> give the correct authority for DS nodata responses.
>
> http://dnsviz.net/d/a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/dnssec/

After turning on lame-servers logging I get the following which basically
confirms what I already worked out but doesn't really explain why the
validator thinks that a broken chain of trust is such a disaster.

Also, why is it trying to get address records for a reverse DNS name?

23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving 
'a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/DS/IN': 94.126.40.2#53
23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving 
'1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa//IN':
 2a01:8000:1ffa:f003:bc9d:1dff:fe9b:7466#53
23-Dec-2015 13:20:54.398 lame-servers: info: broken trust chain resolving 
'1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/A/IN':
 217.168.153.95#53

Tony.
-- 
f.anthony.n.finch    http://dotat.at/
Fair Isle, Southeast Faeroes: Southwesterly veering southerly for a time, 7 to
severe gale 9, increasing storm 10 or violent storm 11 later. Very rough or
high, becoming high or very high later. Rain or squally showers. Moderate or
good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users