Odd SERVFAIL at insecure delegation
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Nov 3 20:59:20 UTC 2020
On Tue, Nov 03, 2020 at 02:39:19PM +0900, T.Suzuki wrote:
>
> Insecure.mufj.jp is a domain of insecure delegation from mufj.jp zone.
> Insecure.mufj.jp is delegated to ns3.mufj.jp,
> but ns3 has a private(?) mufj.jp zone instead of insecure.mufj.jp zone.
> Insecure.mufj.jp has a CNAME and a RRSIG. (but no DS record in mufj.jp)
>
> With this configuration, Unbound returns SERVFAIL for insecure.mufj.jp.
> BIND, Knot Resolver, PowerDNS Recursor return NOERROR.
One of the nameservers is returning bad data:
https://dnsviz.net/d/insecure.mufj.jp/X6HDgw/dnssec/
This can lead to sporadic validation failures.
--
Viktor.
More information about the Unbound-users
mailing list