Problem with .org domain resolution
Jeremy C. Reed
jreed at isc.org
Wed Jun 3 17:18:28 UTC 2009
On Wed, 3 Jun 2009, Kevin Darcy wrote:
> Kevin Darcy wrote:
> > Since .org was recently DNSSEC-signed
> > (http://www.afilias.info/afilias+signs+org+zone), my guess would be that you
> > have a firewall, an intrusion-prevention device, or somesuch, that is
> > dropping the packets because it doesn't understand the DNSSEC records
> > contained in them.
(Ignoring the "never mind" ...)
That might be the case. 9.6 has DNSSEC validation enabled by default so
the corresponding DNSSEC records and signatures may be sent back
regardless if the label requested is signed or not. Such as the NSEC3
(TYPE50) and RRSIGs in the AUTHORITY section.
Juan:
Please use dig instead.
Please try with DNSSEC checking disabled, for example:
dig +cd www.mirrorservice.org @10.20.29.22
dig +cd www.madrid.org @10.20.29.22
dig +cd www.wikipedia.org @10.20.29.22
Please look at your BIND logging. (Maybe search for "error".)
More information about the bind-users
mailing list