[Unbound-users] Parent child disagreement problem
Paul Wouters
paul at xelerance.com
Thu May 13 13:26:22 UTC 2010
On Thu, 13 May 2010, Mike Emigh wrote:
> We ran across a new problem in what appears to be parent-child
> disagreement on version 1.4.4. The resolution appears to work as
> expected when digging for A records in the domain, but if you first
> dig for the NS (starting with an empty cache), then subsequent A
> record lookups fail.
> If you dig safesvc.gov.cn NS, it returns an invalid response:
>
> ;; ANSWER SECTION:
> safesvc.gov.cn. 3600 IN NS netdns.
>
> Then trying to resolve an A record from this domain results in a SERVFAIL:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1462
I did this against a non-dnssec bind, and it produced the same result.
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.safesvc.gov.cn. IN A
>
> The A query appears to work as expected if the you never issue the
> 'dig safesvc.gov.cn NS' command.
Except I always get a servfail for www.safesvc.gov.cn.
The domain is pretty broken:
$ dnscheck safesvc.gov.cn.
0.000: safesvc.gov.cn. INFO Begin testing zone safesvc.gov.cn. with version 0.93_01.
0.000: safesvc.gov.cn. INFO Begin testing delegation for safesvc.gov.cn..
9.067: safesvc.gov.cn. INFO Name servers listed at parent: netdns.safesvc.com.cn
9.387: safesvc.gov.cn. ERROR No name servers found at child.
9.387: safesvc.gov.cn. ERROR Superfluous name server listed at parent: netdns.safesvc.com.cn
9.388: safesvc.gov.cn. ERROR Too few name servers (0).
9.388: safesvc.gov.cn. INFO Done testing delegation for safesvc.gov.cn..
9.388: safesvc.gov.cn. CRITICAL Fatal error in delegation for zone safesvc.gov.cn..
9.388: safesvc.gov.cn. INFO Test completed for zone safesvc.gov.cn..
$
More information about the Unbound-users
mailing list