[Unbound-users] SERVFAIL with *some* names in a DNSSEC+DLV signed zone
Stephane Bortzmeyer
bortzmeyer at nic.fr
Fri Sep 4 06:42:48 UTC 2009
On Thu, Aug 27, 2009 at 11:08:31AM +0200,
W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote
a message of 46 lines which said:
> Can you give me more details?
...
> Can you give the output of the query +cdflag (what was the
> data that failed?)
OK, since the problem occured again this morning (SOA souissi.net
fails, SOA sources.org works), here is the full disclosure (do note
that SERVFAIL depends on the QTYPE, not only the QNAME):
% dig +dnssec MX souissi.net
; <<>> DiG 9.5.1-P3 <<>> +dnssec MX souissi.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64634
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;souissi.net. IN MX
;; ANSWER SECTION:
souissi.net. 86400 IN MX 10 mx1.souissi.net.
souissi.net. 86400 IN MX 20 mylar.selfns.net.
souissi.net. 86400 IN RRSIG MX 5 2 86400 20091001060200 20090901060200 8850 souissi.net. he5nHZ9ZdSkmZAreeyZ3mqob1VP6wy/BCYGgeImDrwDRg9HaDyUdjDCt rX0UGFMPtETtpULEKNVYTmVQd30r//l+TBLWbElNdsAq/qW4OIbmbgfT vLTFeAJsfwlEQ3Ch2/NwmCQjdTd0DkMlva+hCtJ3MeQurjTamfuSWuku U5Y=
;; AUTHORITY SECTION:
souissi.net. 86400 IN NS ns-slave.free.org.
souissi.net. 86400 IN NS ns1.souissi.net.
souissi.net. 86400 IN RRSIG NS 5 2 86400 20091001060200 20090901060200 8850 souissi.net. BbOxk5nOJfEYBFPTkLmfTtLKb4+L/Rj4lfaUPWJd/CQAiQn7GF5qMTR8 Gr1bX1ncpVQM5tmsJu26mxlauiJAiTGqF0HXwuizsi6B4M+6ZJp/qlAF 1hOZ/Q88/48UUTDnIRGLu4+WNQpSEnjZYS6LlaFYxXiDas8Ef+u3sMc7 S28=
;; ADDITIONAL SECTION:
mx1.souissi.net. 86400 IN A 91.121.163.99
mx1.souissi.net. 86400 IN AAAA 2001:41d0:1:e463:dead:beef:face:1
ns1.souissi.net. 86400 IN A 91.121.163.99
ns1.souissi.net. 86400 IN AAAA 2001:41d0:1:e463:dead:beef:face:1
mx1.souissi.net. 86400 IN RRSIG A 5 3 86400 20091001060200 20090901060200 8850 souissi.net. TVNYVYAhwSQasJaQT/DW3UdZ+7kn/w2HqUvw9mXa6c58F8RBqoKOgAGF zO8ZR8i9Dc1I3qFXgXUojP3MTML+6ItHtK+ktKVCYJ/fHfXObauP68X8 bFjE+bMKl71bcI07e206/Gfuqrw5CM46vhUL8sAKipad4G1MPh+cL+Yd wkw=
mx1.souissi.net. 86400 IN RRSIG AAAA 5 3 86400 20091001060200 20090901060200 8850 souissi.net. cUZvufe1UYszNAIS78GLrUZxa4N6XMA0YDJsXneCERw7McWyIOic21+7 DGIkd8Cth4F/tz/C6QjjGlULLz+Z/t/nV/uH9HdCdXInb9V8m/K6tId4 Nk04lp0MzhYjCQK7gvnZaTeXpfceLZNsIkqqPJiJeCGYx3nUcYMy3x0N czI=
ns1.souissi.net. 86400 IN RRSIG A 5 3 86400 20091001060200 20090901060200 8850 souissi.net. OG6LheSUBXSH/m8XW+jzWwo9eFBOA0ax5q0eWhKwFjYPrZdY4A+06Rz+ BW2iguIStEx46+YfWSuUn6MzuDJ7lgljbRPgQ2DTDWdZOb1bEPq7XyK0 YZ3j5J4DaBBvebZnGFDvTOLaFr/cGRumiXYf2dNlacQiBmnrrmtXAD3c kD4=
ns1.souissi.net. 86400 IN RRSIG AAAA 5 3 86400 20091001060200 20090901060200 8850 souissi.net. WOxlR+RwhQv5GRm3VeDOf7WOHfeUkDXNEWKjFFKpJttQZQv2NYyH0oqM kBW4+UUc0BMKK0MHwtEgRxwGyWjjGGFtYRvlswetOVT1UnuDF8B3nPlu DtHQ7ZAR663EbpE/g+faAZVaLS91BorcYSA/ltk7eoF1mjCevKprWDm4 CJ0=
;; Query time: 8 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Sep 4 08:39:31 2009
;; MSG SIZE rcvd: 1252
% dig +dnssec SOA souissi.net
; <<>> DiG 9.5.1-P3 <<>> +dnssec SOA souissi.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17478
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;souissi.net. IN SOA
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Sep 4 08:40:21 2009
;; MSG SIZE rcvd: 40
% dig +dnssec SOA sources.org
; <<>> DiG 9.5.1-P3 <<>> +dnssec SOA sources.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22082
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;sources.org. IN SOA
;; ANSWER SECTION:
sources.org. 86400 IN SOA ns3.bortzmeyer.org. hostmaster.bortzmeyer.org. 2009090100 7200 3600 604800 43200
sources.org. 86400 IN RRSIG SOA 3 2 86400 20091102035202 20090901035202 14347 sources.org. CIE1J9Im49PJBYPZQyV6Nrk/B0i0MZQi9SehcF7R+agqz9UJRzReLwI=
sources.org. 86400 IN RRSIG SOA 5 2 86400 20091102035202 20090901035202 22107 sources.org. j2M7O6urcyXrj/WDhgdR1m9CbTOhEGLNtL5hYs7PHTghblln+yYclnQw KQmdZAYKLm2XFsrYiYSHVAc3i6jAVMb4rDE30R1Ckk3OC7cTTYEslqei RYzrpscfyt5cS6BRZz4feY1wEy3uJ1qaPSKZ8x0iUkVUXM63rGFxie4V J6vwPGnp5ToeP6Ewkyp22Q71ckIGcPKUkmdZD7o2RX2BEoitJUmj2LAD XY/mA4tbgTdm23WFmuW9zAY+2WiYjlCJKKf2TEb2XA0GnZYx0m9RSOuj pu7aCWKZo+Rf1Z5favipVJ9Jt2IkOpSCTBjy8PDYOyT8XbnMCmRj2Lo1 cvezNg==
;; AUTHORITY SECTION:
sources.org. 86400 IN NS ns4.generic-nic.net.
sources.org. 86400 IN NS munzer.bortzmeyer.org.
sources.org. 86400 IN NS ns3.bortzmeyer.org.
sources.org. 86400 IN NS munzer.ipv6.bortzmeyer.org.
sources.org. 86400 IN NS ns6.gandi.net.
sources.org. 86400 IN RRSIG NS 3 2 86400 20091102035202 20090901035202 14347 sources.org. CKHF2HzIBvqloe0oSj/CX+ZsESq3B35PMPwNJQP9YM8JpTRVToBQ5Cw=
sources.org. 86400 IN RRSIG NS 5 2 86400 20091102035202 20090901035202 22107 sources.org. MWXlsrOpRA6V+dt4YYn/tlDtcJtKkgnv+ezi9OR2ZupgDvHVLE6yKy99 Ze8oWrM8bIRH0C6PynqC/yYuVSVUzMxYiKvDFca6GIyhNd6IS9+AghfY b2AYPb3wCv/sgATDUNnSQl4yQENXU6N4E2VIsucELFSBwiI1Q3fzDMK5 uX+DMvJk9sAJ1JAGLvwlxpzsdKA3C32scYJBxiTJNqHY6K4cBompHTgi L3oWnUh6/aECWBd39WUDgAvjgHiSIX1k4aw9XpUV8RoHidCvbwcufsTt xzhF1C9pIO+eZCf0xWoHb16jMGfWmgVIdL/PkU3k5bcNmEGoYQSFeTZv cmsMFQ==
;; Query time: 6 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Sep 4 08:41:09 2009
;; MSG SIZE rcvd: 986
% dig +cd +dnssec SOA souissi.net
; <<>> DiG 9.5.1-P3 <<>> +cd +dnssec SOA souissi.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60400
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;souissi.net. IN SOA
;; ANSWER SECTION:
souissi.net. 86025 IN SOA ns1.souissi.net. hostmaster.souissi.net. 2009090101 3600 900 3600000 900
;; AUTHORITY SECTION:
souissi.net. 86291 IN NS ns-slave.free.org.
souissi.net. 86291 IN NS ns1.souissi.net.
souissi.net. 86291 IN RRSIG NS 5 2 86400 20091001060200 20090901060200 8850 souissi.net. BbOxk5nOJfEYBFPTkLmfTtLKb4+L/Rj4lfaUPWJd/CQAiQn7GF5qMTR8 Gr1bX1ncpVQM5tmsJu26mxlauiJAiTGqF0HXwuizsi6B4M+6ZJp/qlAF 1hOZ/Q88/48UUTDnIRGLu4+WNQpSEnjZYS6LlaFYxXiDas8Ef+u3sMc7 S28=
;; ADDITIONAL SECTION:
ns1.souissi.net. 86000 IN A 91.121.163.99
ns1.souissi.net. 86000 IN AAAA 2001:41d0:1:e463:dead:beef:face:1
ns1.souissi.net. 86000 IN RRSIG A 5 3 86400 20091001060200 20090901060200 8850 souissi.net. OG6LheSUBXSH/m8XW+jzWwo9eFBOA0ax5q0eWhKwFjYPrZdY4A+06Rz+ BW2iguIStEx46+YfWSuUn6MzuDJ7lgljbRPgQ2DTDWdZOb1bEPq7XyK0 YZ3j5J4DaBBvebZnGFDvTOLaFr/cGRumiXYf2dNlacQiBmnrrmtXAD3c kD4=
ns1.souissi.net. 86000 IN RRSIG AAAA 5 3 86400 20091001060200 20090901060200 8850 souissi.net. WOxlR+RwhQv5GRm3VeDOf7WOHfeUkDXNEWKjFFKpJttQZQv2NYyH0oqM kBW4+UUc0BMKK0MHwtEgRxwGyWjjGGFtYRvlswetOVT1UnuDF8B3nPlu DtHQ7ZAR663EbpE/g+faAZVaLS91BorcYSA/ltk7eoF1mjCevKprWDm4 CJ0=
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Sep 4 08:41:20 2009
;; MSG SIZE rcvd: 693
% dig DNSKEY souissi.net
; <<>> DiG 9.5.1-P3 <<>> DNSKEY souissi.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50673
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;souissi.net. IN DNSKEY
;; ANSWER SECTION:
souissi.net. 85955 IN DNSKEY 257 3 5 AwEAAbiXOW26EYYHFx/ydGzDW4+ixz5xoWF9ANdmZT6+3bMBlWskh2GZ KPKhlgH0YAtpcNG4/9kH+e7yfEUiX15Tc3zMk+WYKllMiqGvKr6KSz+p RQlUegflFJwDnBfXWlKqyoPXn2szhSGMBNcIrX2W5KucoMQUQesrjjtE XGMPVVqEL5YkX3Qk4OxXWdou/9d/R3nVfQTyQadgOl8q5StAPgQsR+wJ 6B0H5PyziiRAtjsnFJYH+yQiD1SFw5MuZBoVTtblrAY7wo4Boqh6IiCj qvGk9/RNK6AcEbcs4tDvoCZxcRZFBCeHCnzgdlk5f8u6wN+Fs6bIVO76 +wuOos+OPnCO1ndsaO5j5KPRC/ChWiKTZ9gy3Sia1hO/qSjOi/w16VW6 ES/pQrv9QokTGTLuL6HatXkMWoyX6E+dj2rimKEnNmXKUK7otglLSoCW +ca0+OAVrupRYWsn4UwO5UprnFMo2gLz69jKVx/gIh7hgSBLKJFO8omT LLDVOKaOHzsVulfp/Qs8b8x8TqU4ncteyx1MPxJCUo6DiIFnnGkD7RSC S7Bk7izWdMCzlpCWLekPMwihx9UW4hqwjQ6L6wFiiJulC4eZP+jODQ/8 BC/Vr7Q+XyBhGh7K4kkbPOVk1hCJNglhxQ7Q/3hWGuZVrYUqOX7s2Zhl EPMLgQqafoX7rAyd
souissi.net. 85955 IN DNSKEY 256 3 5 AwEAAcJcU4Ih5IkoLhNLC6mq902qVagsh8IEKyfqQE5/ngZkL0r+NAww RiJdSO2muPkk0qQsD+duziDon7Mz1E/EBuetI8ZE/zdmowu9outSTfRN lYvxNoQTSVZ0w8Ct3/qeNG1qpXr9nERqMz663tI9BKc866K5ajj0eI0v YXqkpptp
;; Query time: 1 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Sep 4 08:42:05 2009
;; MSG SIZE rcvd: 720
% dig ANY souissi.net.dlv.isc.org
; <<>> DiG 9.5.1-P3 <<>> ANY souissi.net.dlv.isc.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50301
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;souissi.net.dlv.isc.org. IN ANY
;; ANSWER SECTION:
souissi.net.dlv.isc.org. 3600 IN NSEC stormrevel.net.dlv.isc.org. RRSIG NSEC DLV
souissi.net.dlv.isc.org. 3600 IN RRSIG NSEC 5 5 3600 20091004051505 20090904051505 64263 dlv.isc.org. R/6wE7ZXOJrSf2iIUidk4ZeZ8g5WOzZGUpl2cI/rWNHn2mAyR8AfSYFY 29qtCEnfed923cVkdVFuJarZEB9IHtgD8S7UQBMloElfy51Q4RDl6IFJ cH4Y/34InJ33w7/IuuOxtH8xQZTWEXeJTIpCeitddmo4X/B1GaH1x2Cz VaE=
souissi.net.dlv.isc.org. 3600 IN DLV 28198 5 1 C6C7D20861D7E03915012AFAD74F20F17F212964
souissi.net.dlv.isc.org. 3600 IN DLV 28198 5 2 3C54CCD5EE584519C4A5CF47BFAF359B0C06B4261965A265F8A28AF4 259B1184
souissi.net.dlv.isc.org. 3600 IN RRSIG DLV 5 5 3600 20091004051505 20090904051505 64263 dlv.isc.org. oNhnBAQRgMi5mggt7Rhhts+AZFdANZUcDx010KoHxw3txcNjOeB2EJoN 9q+16FvkezefeiMlBwzx4IHs4q7D+XsvFmmmgtybYNRNHVR+Xw+GP2Ee wTsJlzBF7ggmO8VF+Upn5XhdtHI2ggdZBNLkZHfd3XFnT8hCf/d6UGI4 wRI=
;; AUTHORITY SECTION:
dlv.isc.org. 3600 IN NS ns1.isc.ultradns.net.
dlv.isc.org. 3600 IN NS dlv.sfba.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS dlv.ams.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS dlv.ord.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS ns.isc.afilias-nst.info.
dlv.isc.org. 3600 IN NS ns2.isc.ultradns.net.
;; Query time: 19 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Sep 4 08:42:24 2009
;; MSG SIZE rcvd: 692
More information about the Unbound-users
mailing list