Odd SERVFAIL at insecure delegation
T.Suzuki
tss at reflection.co.jp
Tue Nov 3 05:39:19 UTC 2020
Why is this?
Insecure.mufj.jp is a domain of insecure delegation from mufj.jp zone.
Insecure.mufj.jp is delegated to ns3.mufj.jp,
but ns3 has a private(?) mufj.jp zone instead of insecure.mufj.jp zone.
Insecure.mufj.jp has a CNAME and a RRSIG. (but no DS record in mufj.jp)
With this configuration, Unbound returns SERVFAIL for insecure.mufj.jp.
BIND, Knot Resolver, PowerDNS Recursor return NOERROR.
There are many oddities, but it's also odd to fail to verify.
Because it's a insecure delegation.
~% dig insecure.mufj.jp +noall +comm +ans
; <<>> DiG 9.9.5 <<>> insecure.mufj.jp +noall +comm +ans
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1635
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
~% dig insecure.mufj.jp +noall +comm +ans +cd
; <<>> DiG 9.9.5 <<>> insecure.mufj.jp +noall +comm +ans +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40906
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; ANSWER SECTION:
insecure.mufj.jp. 57 IN CNAME www.e-ontap.com.
www.e-ontap.com. 1566 IN A 49.212.171.172
p.s.
This is a reconfiguration of what happened at jp.sharp.
https://dnsviz.net/d/jp.sharp/X5KgRQ/dnssec/
--
------------------------------------------------------------------------------
T.Suzuki
More information about the Unbound-users
mailing list