DNSSEC SERVFAIL when parent zone has no DS record

Alan Clegg alan at clegg.com
Wed Oct 5 16:28:30 UTC 2011

On 10/5/2011 5:21 AM, Sergio Charpinel Jr. wrote:

> After suplying DS and the respective NS record for subdomain in the
> parent zone (domain.com), it works. If I disable dnssec in my
> recursive server, it also works.
> So, if a zone is not signed properly (or doesnt have DS records) the
> query will fail? Isn't it better to query  those misconfigured servers
> without DNSSEC, just like it does when the zone is not signed?

Without the necessary NS records in the parent, the zone was never
correctly delegated.  It worked, but only due to a fluke of being served
on the same server as its parent zone.

Implementing DNSSEC made you fix your zone.  This is not a bad thing.

There is no reason to "try again without DNSSEC" if you get a failure,
because that failure means it didn't work.  You may end up trying
different authoritative servers if you get a failure (to work around
poisoned or disrupted servers), but you don't ever fall back to
non-DNSSEC lookups on zones that should be secure.

alan at clegg.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111005/8f214213/attachment.bin>

More information about the bind-users mailing list