Unsupported DNSSEC algorithms should not lead to SERVFAIL.
Ondřej Surý
ondrej at isc.org
Thu Oct 30 21:39:31 UTC 2025
No, you have not been caught by this. The issue you are referring to affects only a development
version of BIND 9 (9.21), so whatever you are experiencing is not related to this.
You need to provide evidence (logs, reproducer) about what is going on, so we can help you
diagnose the issue you are experiencing.
Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
> On 30. 10. 2025, at 18:21, Kelsey Cummings <kgc at corp.sonic.net> wrote:
>
> We think that we got caught by this change as part of our roll out to 9.18.41. The basic gist is, that in a service provider context, our job is to do our best to resolve DNS as quickly and as well as possible for our customers. If google and cloudflare resolve the domains and we can't, the customer does not care in the slightest why, only that they're not able to get to their work, school or other public resource. This just results in them migrating away from our recursive clusters to these public resources for good.
>
> There certainly may be context where the new behavior is justified, but default or not, we need the ability to enable more relaxed behavior.
>
> "be conservative in what you do, be liberal in what you accept from others"
>
> https://gitlab.isc.org/isc-projects/bind9/-/issues/5570
>
> --
> kelsey.cummings at sonic.com sonic.net, inc.
> System Architect 2260 Apollo Way
> 707.522.1000 Santa Rosa, CA
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
More information about the bind-users
mailing list