DNAME + DNSSEC

Marco Davids (SIDN) marco.davids at sidn.nl
Thu Oct 20 12:41:52 UTC 2016


Hi,

I noticed some inconsistent behavior in a particular setup where a DNAME
is involved and I am trying to figure out who is right and who is wrong.

Players involved on the resolving side are:

Google Public DNS (resolves without an error)
BIND (often results in a timeout and a log-rule saying: "unrelated DNAME
in answer")
Unbound (results in a SERVFAIL)

On the authoritative side the players are:

PowerDNS
BIND
NSD

The query-type (A yield other results than ANY)

The query to test is for example:

dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.bergzand.nl

I believe both bergzand.nl and bergzand.net are hosted on PowerDNS.

dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.scintilla.nl

This domain is served from BIND.

For testing-purposes I tried to simulate the situation in sidnlabs.nl:

dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.sidnlabs.nl

sidnlabs.nl is served from BIND, but example.nl (the DNAME) is served
from BIND and NSD).

I guess I have these question to the reader:

- Is it ok for BIND to have a timeout?
- Why does Google resolve, why does UNbound result in a SERVFAIL and who
is right?
- Is there an authoritative server (PowerDNS perhaps?) not doing the
right thing?

I've been looking to long to this matter so this is the time to ask for
your help. It didn't help that DNS-OARCs open BIND-resolver
(184.105.193.73) broke down, having the same effect as a timeout).

Thanks.

--
Marco

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20161020/e1d7767d/attachment.bin>


More information about the bind-users mailing list