Hi guys,
We ran across a new problem in what appears to be parent-child
disagreement on version 1.4.4. The resolution appears to work as
expected when digging for A records in the domain, but if you first
dig for the NS (starting with an empty cache), then subsequent A
record lookups fail.
If you dig safesvc.gov.cn NS, it returns an invalid response:
;; ANSWER SECTION:
safesvc.gov.cn. 3600 IN NS netdns.
Then trying to resolve an A record from this domain results in a SERVFAIL:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1462
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.safesvc.gov.cn. IN A
The A query appears to work as expected if the you never issue the
'dig safesvc.gov.cn NS' command.
Mike
We ran across a new problem in what appears to be parent-child
disagreement on version 1.4.4. The resolution appears to work as
expected when digging for A records in the domain, but if you first
dig for the NS (starting with an empty cache), then subsequent A
record lookups fail.
If you dig safesvc.gov.cn NS, it returns an invalid response:
;; ANSWER SECTION:
safesvc.gov.cn. 3600 IN NS netdns.
Then trying to resolve an A record from this domain results in a SERVFAIL:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1462
I did this against a non-dnssec bind, and it produced the same result.
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.safesvc.gov.cn. IN A
The A query appears to work as expected if the you never issue the
'dig safesvc.gov.cn NS' command.
Except I always get a servfail for www.safesvc.gov.cn.
The domain is pretty broken:
$ dnscheck safesvc.gov.cn.
0.000: safesvc.gov.cn. INFO Begin testing zone safesvc.gov.cn. with version 0.93_01.
0.000: safesvc.gov.cn. INFO Begin testing delegation for safesvc.gov.cn..
9.067: safesvc.gov.cn. INFO Name servers listed at parent: netdns.safesvc.com.cn
9.387: safesvc.gov.cn. ERROR No name servers found at child.
9.387: safesvc.gov.cn. ERROR Superfluous name server listed at parent: netdns.safesvc.com.cn
9.388: safesvc.gov.cn. ERROR Too few name servers (0).
9.388: safesvc.gov.cn. INFO Done testing delegation for safesvc.gov.cn..
9.388: safesvc.gov.cn. CRITICAL Fatal error in delegation for zone safesvc.gov.cn..
9.388: safesvc.gov.cn. INFO Test completed for zone safesvc.gov.cn..
$
Not sure if it’s similar, but the wife was trying to go to one of those designer check places that always sends you junk in the mail… in this case www.checksunlimited.com.
Lookups always SERVFAIL for the domain checksunlimited.com. Running unbound in debug, it always sets the results to THROWAWAY. I tried to debug it, but it quickly went over my head.
Went back to my old dnscache setup that unbound replaced, and it worked fine :(.
-Dustin
Hi Dustin, Paul, Mike,
Fixed the safesvc.gov.cn lookups (in svn trunk), but I cannot see what
is going wrong for checksunlimited.com. Dustin, do you have a tcpdump
or perhaps a high verbosity trace from unbound (or unbound-host) with
the error?
Best regards,
Wouter