Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

Roy Badami roy at gnomon.org.uk
Wed Apr 14 23:28:55 UTC 2010


> Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and
> I've seen no repeat of the DNSSEC name resolution issues so far; it's
> early days yet (only been running DLV for three days) but certainly
> looking promissing.

I spoke too soon.  I've now found a query that (at least this evening)
is consistently failing for me, even if I restart BIND.

The following query gives me SERVFAIL

  	dig www.bbc.net.uk aaaa

But the following two queries work:

	dig www.bbc.net.uk a
    	dig www.bbc.net.uk aaaa +cd

This is particularly odd, because there is absolutely no DNSSEC
involved here.  No domain above www.bbc.net.uk appears to be in the
DLV registry, and BIND must be able to successfully verify the
covering NSEC record that proves that in order to be willing to
resolve the A query above.  So I can't immediately see any way this
situation could arise except due to a BIND bug.

Anyone else have an IPv6-connected BIND 9.7.0-P1 host with DLV enabled
they can try this query on?

    -roy



More information about the bind-users mailing list