-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane,
I think the problem is the recent NSEC+RRSIG parse bug I fixed. In the ANY queries that is present and can lead to the problem, the bug is triggered based on ordering in the packet, and this causes the randomness for you. So, it is fixed in subversion trunk and perhaps I should consider making a bugfix release :-) Best regards, Wouter On 06/30/2009 02:14 PM, Stephane Bortzmeyer wrote: > The zone absolight.net (signed and published in ISC DLV) puzzles > me. Some requests SERVFAIL but not others: > > % dig ANY ns1.absolight.net. > ... > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33316 > > % dig ANY ns2.absolight.net. > ... > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19901 > ... > ns2.absolight.net. 86245 IN A 80.245.57.153 > > % dig A ns1.absolight.net. > ... > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13932 > ... > ns1.absolight.net. 86400 IN A 79.143.240.129 > > The problem is DNSSEC-related since, if I add +cd, it works: > > % dig +cd ANY ns1.absolight.net. > ... > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59487 > ... > ns1.absolight.net. 3420 IN RRSIG NSEC 5 3 3600 20090714212355 > 20090614212355 11595 absolight.net. > 34zDPJjCt/H072EJd/54dydJV1xyXVMUHvyrfzrrqEBH/EX3JsqEk46Q > embiOCOBUt1Rg/17LAJ96lYte556B2jjSOGH2jBkAki8X9feJNj4HIHP ULPCHsYYyw74ZFCK > ns1.absolight.net. 3420 IN NSEC ns1-6.absolight.net. A AAAA > RRSIG NSEC > ns1.absolight.net. 86187 IN AAAA 2a01:678:100:53::53 > ... > > I admit I do not understand why a A requests work and not an ANY > request. > > If I restart Unbound, *other* names in the zone fail and those which > failed now work. > > BIND has no problem with this zone. > > Unbound 1.2.0 and 1.3.0, Debian/Linux. All the tests have been done > with dlv.isc.org enabled. > > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkpKA+sACgkQkDLqNwOhpPjB0QCeML+1tqjlsfu3MB4L3kvd+Xf3 jQMAnjVlvZUv2oU4M7kY07fXU1N8ZcuY =Q31w -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
