Re: Re: intermittent SERVFAIL with a DLV domain
On 23-Dec-15 08:34, Tony Finch wrote: > Tony Finchwrote: > > Also, why is it trying to get address records for a reverse DNS name? An ip6.arpa or in-addra.arpa zone is not restricted to PTR records. There's nothing special about 'reverse zones'. dnsviz uses some heuristics to guess what records are worth looking for. A while ago I asked Casey to have DNSVIZ check for more than PTR+DNSSEC records in reverse zones, which he did. There's a panel in dnsviz where you can change what it looks for if you want more (or less). A/ records are used in reverse zones by an obscure RFC (1101 encoding of subnet masks), and by others for similar purposes. (It shouldn't be surprising that CNAME, TXT, RP, LOC and DNSSEC-related records can be in reverse zones too.) dnsviz launches its queries in parallel, so asking for a few extra records doesn't hurt anyone. > 23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving > 'a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/DS/IN': 94.126.40.2#53 > 23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving > '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa//IN': > 2a01:8000:1ffa:f003:bc9d:1dff:fe9b:7466#53 > 23-Dec-2015 13:20:54.398 lame-servers: info: broken trust chain resolving > '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/A/IN': > 217.168.153.95#53 > > Tony. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: intermittent SERVFAIL with a DLV domain
Tony Finchwrote: > I have a couple of recursive servers running 9.10.3-P2 which are > intermittently returning SERVFAIL responses for queries under > a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa. This domain is in dlv.isc.org; its > parent is unsigned but seems to be DNSSEC-aware - the servers set DO and > give the correct authority for DS nodata responses. > > http://dnsviz.net/d/a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/dnssec/ After turning on lame-servers logging I get the following which basically confirms what I already worked out but doesn't really explain why the validator thinks that a broken chain of trust is such a disaster. Also, why is it trying to get address records for a reverse DNS name? 23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving 'a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/DS/IN': 94.126.40.2#53 23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa//IN': 2a01:8000:1ffa:f003:bc9d:1dff:fe9b:7466#53 23-Dec-2015 13:20:54.398 lame-servers: info: broken trust chain resolving '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/A/IN': 217.168.153.95#53 Tony. -- f.anthony.n.finch http://dotat.at/ Fair Isle, Southeast Faeroes: Southwesterly veering southerly for a time, 7 to severe gale 9, increasing storm 10 or violent storm 11 later. Very rough or high, becoming high or very high later. Rain or squally showers. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users