Hi,
We are currently running unbound in a anycasting scenario and works
great. I've found some problems catching domains without NS A records
at nameservers (some servers does not provide A records for nameservers)
, I've found a workaround adding a local-data in the configuration but
if the provider change the nameserver ip address it will fail. Do you
know an alternatevie workaround or some configuration parameter to solve
this problem?
PD. For example: thednsreport.com - Informationen zum Thema thednsreport.
My workaround:
local-zone: "actualcat.com."
transparent
local-data: "ns1.actualcat.com A
213.192.239.111"
local-data: "ns2.actualcat.com A 213.192.239.112"
Isaac González
The attached message was received as a bounce. Seems to belong over here.
Wouter.
(attachments)
ForwardedMessage.eml (2.51 KB)
Hi Isaac,
It is not that .es does not provide glue. That is not a problem here.
The ns1.actualcat.com server 'exists' in the .com nameservers.
But not on the actualcat.com servers themselves, they give NXDOMAIN.
Unbound refuses to use this. That is why sanvic.es returns SERVFAIL.
(is .com hijacked? No, this looks like a registration problem).
Best regards,
Wouter
Hi,
We are currently running unbound in a anycasting scenario and works great. I've found some problems catching domains without NS A records at nameservers (some servers does not provide A records for nameservers) , I've found a workaround adding a local-data in the configuration but if the provider change the nameserver ip address it will fail. Do you know an alternative workaround or some configuration parameter to solve this problem?
PD. For example: thednsreport.com - Informationen zum Thema thednsreport.
My workaround:
local-zone: "actualcat.com."
transparent
local-data: "ns1.actualcat.com A
213.192.239.111"
local-data: "ns2.actualcat.com A 213.192.239.112"
Isaac González
The problem here is that there are glue records for ns[12].actualcat.com pointing
to 213.192.239.112 and 213.192.239.111. However, when you ask those servers for
the A record of ns[12].actualcat.com you get an NXDOMAIN.
Since the NXDOMAIN is in the authority section is "outweighs" the previous
glue records that were in the additional section and the hints are dropped.
So even with harden-referral-path: no, it will end up failing.
The owner of the zone actualcat.com will need to fix their zone.
Paul
* Paul Wouters:
The owner of the zone actualcat.com will need to fix their zone.
And if someone complains that it works with BIND: it doesn't.
If you query, with a cold cache, for www.actualcat.com,
ns1.actualcat.com, ns2.actualcat.com (in that order) first, then the
lookup of sanvic.es will fail with BIND, too (version 9.3.4 at least).