[Unbound-users] Problems with dipmap.com
wouter at NLnetLabs.nl
Mon Sep 19 12:08:59 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 09/19/2011 01:03 PM, Attila Nagy wrote:
> There is a problem with resolving names from dipmap.com with unbound.
> Currently, the root NSs give back three nameservers, from which only one
> works (at least from our network).
> And that one has a bad NS RR:
> $ dig ns dipmap.com @ns.dipmap.com.
> ; <<>> DiG 9.6.-ESV-R4-P1 <<>> ns dipmap.com @ns.dipmap.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25982
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;dipmap.com. IN NS
> ;; ANSWER SECTION:
> dipmap.com. 60 IN NS sql2005.
> It seems that unbound stores that nameserver and wants to query it, so
> either a time out or a SERVFAIL happens to the client.
Yes it wants to query it, but in my test it quickly finds out that the
bad-name does not exist. Then it tries the last resort: it falls back
to the parent nameserver NSset. And this works. So it works fine for me?
> I thought that a recursive DNS server shouldn't cache NS records from
> the zone's authoritative name server, it should only trust in the upper
No, the child's server is the most authoritative for its NS record. The
upper servers only give hints to reach the child. But this zone is
> ISC BIND doesn't have this behaviour -it seems-, so it can resolve names
> from this domain.
Well, so should we really. Since it works for me, but not for you, can
you tell me what happens when it does not want to work: set verbosity to
4 and do a probe and look at the logs. It should try the last resort.
This was added in 1.4.5 so if you are running older unbound, that would
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users