Am 2023-02-27 16:22, schrieb Havard Eidnes:
I'm assuming your upstream name servers are providing recursive
service to you. If that's the case, to me it then sounds like
the upstream name servers do not implement DNSSEC; refusing to
look up "unusual" / "new" record types is a violation of the
standard, I would think -- perhaps even irrespective of whether
they implement DNSSEC or not.
"Pick another upstream" would be my suggestion, if that's at all
feasible. Either that, or do your own recursive resolution, and
don't rely on someone else bodging it for you :)
No, again that is not my issue.
All of the servers that dns.com operates are dropping queries for the
Ressource Record Type DS.
They are the authoritative servers for dns.com as well as for the parent
zone of the zone our customer wants to resolve and the zone itself.
We are providing recursion for our customer.
Our customer sends us DS queries, we try to query the respective servers
but they will drop the queries silently which will make our unbound mark
these servers as unresponsive and not query them any further.
When all authoritative servers for these domains are being marked
unresponsive, our unbound will respond SRVFAIL to all queries that would
be sent to those servers, making it impossible to resolve anything
within zones hosted on those servers.
Florian
