I have a couple of recursive servers running 9.10.3-P2 which are
intermittently returning SERVFAIL responses for queries under
a.f.f.184.108.40.206.8.1.0.a.2.ip6.arpa. This domain is in dlv.isc.org; its
parent is unsigned but seems to be DNSSEC-aware - the servers set DO and
give the correct authority for DS nodata responses.
One of my servers is currently in the broken state. named_dump.db has
; Bad cache
; a.f.f.220.127.116.11.8.1.0.a.2.ip6.arpa/DS [ttl 429219]
The TTL here is misleading - unlike other TTLs it is in milliseconds, so
it is more reasonable than it appears to be.
Based on reading the code, I think there are two ways for entries to get
into the bad cache: either the nameservers have no addresses or there is a
problem with the trust chain. I think the following cache entries rule the
first one out:
ns0.ai270.NET. 26445 A 18.104.22.168
ns1.ai270.NET. 26445 A 22.214.171.124
In the second case the name server addresses get added to a bad list.
Ah, but I have turned off lame server logging so I don't have a copy of
the relevant log line; I shall change that.
Anyone have any more clues about what might be going wrong?
> I have a couple of recursive servers running 9.10.3-P2 which are
> intermittently returning SERVFAIL responses for queries under
> a.f.f.126.96.36.199.8.1.0.a.2.ip6.arpa. This domain is in dlv.isc.org; its
> parent is unsigned but seems to be DNSSEC-aware - the servers set DO and
> give the correct authority for DS nodata responses.
After turning on lame-servers logging I get the following which basically
confirms what I already worked out but doesn't really explain why the
validator thinks that a broken chain of trust is such a disaster.
Also, why is it trying to get address records for a reverse DNS name?
f.anthony.n.finch <[hidden email]> http://dotat.at/ Fair Isle, Southeast Faeroes: Southwesterly veering southerly for a time, 7 to
severe gale 9, increasing storm 10 or violent storm 11 later. Very rough or
high, becoming high or very high later. Rain or squally showers. Moderate or
good, occasionally poor.
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
On 23-Dec-15 08:34, Tony Finch wrote:
> Tony Finch <[hidden email]> wrote:
> Also, why is it trying to get address records for a reverse DNS name?
An ip6.arpa or in-addra.arpa zone is not restricted to PTR records.
There's nothing special about 'reverse zones'.
dnsviz uses some heuristics to guess what records are worth looking for.
A while ago I asked Casey to have DNSVIZ check for more than PTR+DNSSEC
records in reverse zones, which he did.
There's a panel in dnsviz where you can change what it looks for if you
want more (or less).
A/AAAA records are used in reverse zones by an obscure RFC (1101
encoding of subnet masks), and by others for similar purposes.
(It shouldn't be surprising that CNAME, TXT, RP, LOC and DNSSEC-related
records can be in reverse zones too.)
dnsviz launches its queries in parallel, so asking for a few extra
records doesn't hurt anyone.