DNAME + DNSSEC
Marco Davids (SIDN)
marco.davids at sidn.nl
Thu Oct 20 12:41:52 UTC 2016
I noticed some inconsistent behavior in a particular setup where a DNAME
is involved and I am trying to figure out who is right and who is wrong.
Players involved on the resolving side are:
Google Public DNS (resolves without an error)
BIND (often results in a timeout and a log-rule saying: "unrelated DNAME
Unbound (results in a SERVFAIL)
On the authoritative side the players are:
The query-type (A yield other results than ANY)
The query to test is for example:
dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.bergzand.nl
I believe both bergzand.nl and bergzand.net are hosted on PowerDNS.
dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.scintilla.nl
This domain is served from BIND.
For testing-purposes I tried to simulate the situation in sidnlabs.nl:
dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.sidnlabs.nl
sidnlabs.nl is served from BIND, but example.nl (the DNAME) is served
from BIND and NSD).
I guess I have these question to the reader:
- Is it ok for BIND to have a timeout?
- Why does Google resolve, why does UNbound result in a SERVFAIL and who
- Is there an authoritative server (PowerDNS perhaps?) not doing the
I've been looking to long to this matter so this is the time to ask for
your help. It didn't help that DNS-OARCs open BIND-resolver
(220.127.116.11) broke down, having the same effect as a timeout).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
More information about the bind-users