Occasional SERVFAILs from "dig NS iq."

Tony Finch dot at dotat.at
Tue Sep 24 15:24:17 UTC 2013


Chris Thompson <cet1 at cam.ac.uk> wrote:

> I have noticed that I get occasional (fast) SERVFAIL responses from
> "dig NS iq.", e.g.
>
> "iq" is partially signed, in the sense that some of its nameservers
> deliver a signed version, and some an unsigned one, but I don't see
> how that leads to the effect observed.

It seems to happen when named gets a signed NS response then gets NODATA
when it asks for the DNSKEY RRset. If it gets an unsigned NS response it
is happy; if it gets signed NS and DNSKEY responses it is happy.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.


More information about the bind-users mailing list