[nsd-users] Trying to understand a SERVFAIL

W.C.A. Wijngaards wouter at NLnetLabs.nl
Fri Jan 1 00:07:30 UTC 2010

Hash: SHA1

Hi Pim, Jeremy,

This response looks like a corner case.  I think it may trigger that bad
behaviour in some resolvers.  This may be something that is caused by
new 'Kaminksy-era-paranoia' fixes in resolvers.  I see that this
response triggers drastic cutting measures in unbound (but it does work
there), perhaps BIND does something as well.

One operational fix would be to integrate both zones - no zone cut, SOA
or NS records for l.paphosting.net.  Simply put the information into the
paphosting.net zone.  This is an operational fix, perhaps BIND and NSD
code need fixes.

http0.l   IN      A
http0.l   IN      AAAA    2001:7b8:3:4f:216:3eff:fe4b:ae79
http0.l   IN      A
http0.l   IN      AAAA    2a02:898:28::2

Since many resolvers won't use the information after the CNAME from the
first response anyway, perhaps NSD should not descend into the next zone.

Best regards,

On 12/28/2009 09:53 PM, Pim van Pelt wrote:
> Hoi Jeremy,
> On Mon, Dec 28, 2009 at 8:07 PM, Jeremy C. Reed <reed at reedmedia.net> wrote:
>> multiple NS RRsets in authority section
> This seems correct to me.
>> l.paphosting.net.       300     IN      NS      ns.paphosting.nl.
>> l.paphosting.net.       300     IN      NS      ns.paphosting.net.
>> l.paphosting.net.       300     IN      NS      ns.paphosting.eu.
>> paphosting.net.         86400   IN      NS      ns.paphosting.nl.
>> paphosting.net.         86400   IN      NS      ns.paphosting.net.
>> paphosting.net.         86400   IN      NS      ns.paphosting.eu.
>> (I don't know why.)
> this is because www.paphosting.net is a CNAME to
> http0.l.paphosting.net (which is a different zone, the nameservers of
> which are the same but their TTL is 300s).
> groet,
> Pim

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


More information about the nsd-users mailing list