-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane,
On 07/18/2012 10:19 AM, Stephane Bortzmeyer wrote: > Today, we experienced the problem described in > <http://fanf.livejournal.com/107721.html>. BIND cannot query CNAME > ns1.webhosting24.com but Unbound can. Here on OARC's ODVR service: > > # BIND % dig @2001:4f8:3:2bc:1::64:20 CNAME ns1.webhosting24.com > > ; <<>> DiG 9.8.1-P1 <<>> @2001:4f8:3:2bc:1::64:20 CNAME > ns1.webhosting24.com ; (1 server found) ;; global options: +cmd ;; > Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: > 35315 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, > ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; > QUESTION SECTION: ;ns1.webhosting24.com. IN CNAME > > ;; Query time: 656 msec ;; SERVER: > 2001:4f8:3:2bc:1:0:64:20#53(2001:4f8:3:2bc:1:0:64:20) ;; WHEN: Wed > Jul 18 09:21:27 2012 ;; MSG SIZE rcvd: 49 > > # Unbound % dig @2001:4f8:3:2bc:1::64:21 CNAME > ns1.webhosting24.com > > ; <<>> DiG 9.8.1-P1 <<>> @2001:4f8:3:2bc:1::64:21 CNAME > ns1.webhosting24.com ; (1 server found) ;; global options: +cmd ;; > Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: > 43630 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, > ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; > QUESTION SECTION: ;ns1.webhosting24.com. IN CNAME > > ;; Query time: 492 msec ;; SERVER: > 2001:4f8:3:2bc:1:0:64:21#53(2001:4f8:3:2bc:1:0:64:21) ;; WHEN: Wed > Jul 18 09:21:31 2012 ;; MSG SIZE rcvd: 49 > > I suspect that Unbound may be too lax since the answer is indeed > incorrect. ns1.webhosting24.com is delegated but the name servers > reply with an Authority which indicates a zone cut at > webhosting24.com. It seems BIND is right to reject it and Unbound > is wrong? Unbound rejects the authority records from this message. Then looks at the resulting message and thinks that this looks like a NOERROR/NODATA answer, which it returns to the client. So, unbound rejects the authority zone cut, but does not turn that into a servfail because it thinks it can understand the message with that RR removed. Best regards, Wouter > % dig @217.70.144.111 CNAME ns1.webhosting24.com > > ; <<>> DiG 9.7.3 <<>> @217.70.144.111 CNAME ns1.webhosting24.com ; > (1 server found) ;; global options: +cmd ;; Got answer: ;; > ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17571 ;; flags: qr > aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: > recursion requested but not available > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; > QUESTION SECTION: ;ns1.webhosting24.com. IN CNAME > > ;; AUTHORITY SECTION: webhosting24.com. 86400 IN SOA > ns1.webhosting24.com. hostmaster.webhosting24.com. 2012071800 86400 > 3600 604800 86400 > > ;; Query time: 23 msec ;; SERVER: > 217.70.144.111#53(217.70.144.111) ;; WHEN: Wed Jul 18 10:18:46 > 2012 ;; MSG SIZE rcvd: 96 > _______________________________________________ Unbound-users > mailing list [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQBnXnAAoJEJ9vHC1+BF+Nww8P+gPv0waszyatAfZMWvbl0+5+ BaEq15XrDeZjQla3eY29Uh9zTUwPBW3aY99JscMttD9igR79Nl4e6eLB8vLsXnGz W3pp0T58P6lKhIbg4zFkEoFzBPKx5KhaIeA8pcMuz0E8uD0fAINsyxOE5gFwsfB0 rq2FrrjYPBTyxJJ8VPA/cmX2q7pNqD0fJFit6m9xw6jK4q8+v+MIK6zevtqJVfIl skP31yNDPOpggkfcuEoF7TC7GJeOLmXR2sM3gIiiogm+APq04wmLp8SqVGM8RYQM Aycd6M4oXSzTZ6KM24/ogWgzjDm3dQegYfSKbYEw8/8ZwDSvBunD371K4BH4Zvl4 yxvnrONsH99ccAOaM6LNqGAaiPdtJEoV39mC56w98LCrqYoIiVh+d7pVxI1IZPHa W1OPweKrV655/wbPLp6P728YuoO6JXXPi60Xt3BGvZwDd9ut+2btymhC+dI5S//v vl/QL15jpnHJOVmI1EcC3Rukonznx5olxeZk7w6HL5lyHqvCGFuZB/0L6qQUFMun 2d7ommP98KtrxzWFsZVPq45festj4E0UEGmz0OMDuub6KylLmrpRn3NnM+FGocw+ P3kAjAgRkl5UPwxXPbX90JOkGH6ADWmk+EmGDYv4KN86o6HGEuSzXUX4A78solKV B5HlP2ydTXOPQ4osbTif =lJCG -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
