Odd SERVFAIL at insecure delegation

T.Suzuki tss at reflection.co.jp
Tue Nov 3 05:39:19 UTC 2020


Why is this?

Insecure.mufj.jp is a domain of insecure delegation from mufj.jp zone.
Insecure.mufj.jp is delegated to ns3.mufj.jp, 
but ns3 has a private(?) mufj.jp zone instead of insecure.mufj.jp zone.
Insecure.mufj.jp has a CNAME and a RRSIG. (but no DS record in mufj.jp)

With this configuration, Unbound returns SERVFAIL for insecure.mufj.jp.
BIND, Knot Resolver, PowerDNS Recursor return NOERROR.

There are many oddities, but it's also odd to fail to verify.
Because it's a insecure delegation.

~% dig insecure.mufj.jp +noall +comm +ans

; <<>> DiG 9.9.5 <<>> insecure.mufj.jp +noall +comm +ans
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1635
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232

~% dig insecure.mufj.jp +noall +comm +ans +cd

; <<>> DiG 9.9.5 <<>> insecure.mufj.jp +noall +comm +ans +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40906
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; ANSWER SECTION:
insecure.mufj.jp.	57	IN	CNAME	www.e-ontap.com.
www.e-ontap.com.	1566	IN	A	49.212.171.172

p.s.
This is a reconfiguration of what happened at jp.sharp.
https://dnsviz.net/d/jp.sharp/X5KgRQ/dnssec/

-- 
------------------------------------------------------------------------------
T.Suzuki 


More information about the Unbound-users mailing list