[Unbound-users] Problems with dipmap.com
wouter at NLnetLabs.nl
Tue Sep 20 07:46:41 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hi Hauke, Robert,
On 09/19/2011 05:41 PM, Hauke Lampe wrote:
> On 19.09.2011 15:51, W.C.A. Wijngaards wrote:
>> I do not understand how they continue to query LAME servers.
> Doesn't look lame to me. It answers queries for tirparkolo.dipmap.com as
> well as for ns/ns1/ns2.dipmap.com. Only the NS record is wrong.
> My Unbound resolver (current svn) keeps returing the correct answer.
There is a bug, which I fixed (thank Amanda from Secure64), it has a
wrong classification internally. What is also wrong with the
dir.slb.com setup (how many things can you break at the same time?) is
that the slb.com DNS servers are stealth serving the dir.slb.com zone as
well. Their AA answer is the final answer for BIND, but unbound
classified it wrong and wanted to as dir.slb.com DNS servers for the
answer ... but those do not answer. Fixed in svn trunk.
>> If it would not
>> give Lame answers, then it would work with unbound (and the parent-child
>> disagreement would not be an issue).
> Shouldn't it fail with "harden-referral-path" set? Or is it enough if
> the child servers sends answers for the nameserver names from the parent
> zone even if the NS records differ?
> Here's a query trace from unbound-host w/ harden-referral-path:
No, harden referral path is OK if the answer does not arrive for the NS
set. It is lenient for this sort of brokenness.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users