intermittent SERVFAIL with a DLV domain
Tony Finch
dot at dotat.at
Wed Dec 23 13:34:25 UTC 2015
Tony Finch <dot at dotat.at> wrote:
> I have a couple of recursive servers running 9.10.3-P2 which are
> intermittently returning SERVFAIL responses for queries under
> a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa. This domain is in dlv.isc.org; its
> parent is unsigned but seems to be DNSSEC-aware - the servers set DO and
> give the correct authority for DS nodata responses.
>
> http://dnsviz.net/d/a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/dnssec/
After turning on lame-servers logging I get the following which basically
confirms what I already worked out but doesn't really explain why the
validator thinks that a broken chain of trust is such a disaster.
Also, why is it trying to get address records for a reverse DNS name?
23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving 'a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/DS/IN': 94.126.40.2#53
23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/AAAA/IN': 2a01:8000:1ffa:f003:bc9d:1dff:fe9b:7466#53
23-Dec-2015 13:20:54.398 lame-servers: info: broken trust chain resolving '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/A/IN': 217.168.153.95#53
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Fair Isle, Southeast Faeroes: Southwesterly veering southerly for a time, 7 to
severe gale 9, increasing storm 10 or violent storm 11 later. Very rough or
high, becoming high or very high later. Rain or squally showers. Moderate or
good, occasionally poor.
More information about the bind-users
mailing list