I have been having trouble resolving "www.balfour.com"
It appears that ns1.worldnic.com and ns2.worldnic.com (the NS for
www.balfour.com") is returning a CNAME response (pointing off to an
amazon'd name) with the SERVFAIL bit set in the header. It also
(according to dig) sometimes spits back a truncated response requiring
a TCP retry.
This combination of things makes unbound a bit upset. I've seen
discussions of this here:
I have been having trouble resolving "www.balfour.com"
It appears that ns1.worldnic.com and ns2.worldnic.com (the NS for
www.balfour.com") is returning a CNAME response (pointing off to an
amazon'd name) with the SERVFAIL bit set in the header. It also
(according to dig) sometimes spits back a truncated response requiring
a TCP retry.
So it returns SERVFAIL. The content of the message is junk. unbound
ignores the contents of the message.
This combination of things makes unbound a bit upset. I've seen
discussions of this here:
Well, its not upset, it is simply not resolving the name. But that is
the issue here, of course.
(My guess is that worldnic.com is running PowerDNS)
Yes, I hope that patch fixes authority-server-powerdns so it does not
emit errors when it should not. It looks a bit bland to me - like
emitting noerror when there could be errors, but I am not the powerdns
code expert.
In practice, sometimes unbound returns the A record, sometimes not!
It appears other recursive servers are much more permissive here.
I guess the +TC tcp fallback actually works. Other cases have an error
set, and are thus ignored.
---
Is there a way to make Unbound "happier" about this name and semi-broken setup?
Not return error codes when you mean to return a CNAME? You could email
the owners of the site (SOA hostmaster should be a good email to start).
local-data: "www.balfour.com A <IP>" in your config to provide an
override for this name to the correct IP address?