<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>Today, we had a case where one of our resolvers (9.16.37) failed
to return an SOA-record for the TLD 'us'. digging with the +cd
flag, returned a value, while delving with +vtrace failed:</p>
<p><font face="monospace">;; fetch: us/SOA<br>
;; resolution failed: SERVFAIL</font></p>
<p>Fingers pointed to a failure to validate. I dumped the cache to a
file, and then did a flushname of 'us.' <br>
</p>
<p>digging and delving was then successful.</p>
<p>When looking in the dumped cache, I see the RRSIG-record for the
SOA-record is marked as 'stale', and the DNSKEY-record (id=54159)
is marked as 'pending-answer'<br>
</p>
<p>Is stale data used during the validation of answers?</p>
<p><br>
</p>
<p>:: From the dumped cache ::<br>
</p>
<p><font face="monospace">us. 84964 SOA
a.cctld.us. admin.tldns.godaddy. (<br>
1677862753 ; serial<br>
1800 ; refresh (30
minutes)<br>
300 ; retry (5
minutes)<br>
604800 ; expire (1
week)<br>
1800 ; minimum (30
minutes)<br>
)<br>
; secure<br>
; stale<br>
84964 RRSIG SOA 8 1 900 (<br>
20230402170130
20230303160130 54159 us.<br>
OKQQZoU8itxdg2T+AYpefOmGILJZRl1aA9zb<br>
NXzYL9sXWsMMlctwod9JkEM08/SYGEHTmaEa<br>
M+d9PMAjeeJMiChj3RV3TPGKRDubUbBrNJb2<br>
R15fsjZRcVf8Iebhr0EZ/yxTJl4YzcTbUh9v<br>
ffNOEULcPuVJmv0Hda7HKvnBmVJszPZImfLX<br>
YIx3SyzRBp7jiZT1t7oyfZSlAbuRjX7zOw== )<br>
; secure<br>
82614 DS 46144 8 2 (<br>
0C67E6017124BF19D50BE565CC486FF3CFE2<br>
A278FE2E5983FF97B2A453386419 )<br>
; secure<br>
82614 RRSIG DS 8 1 86400 (<br>
20230316050000
20230303040000 951 .<br>
NHCxlyjA2/t38e03sjyEnXMszz/2whq5GFmP<br>
Jf2Ttx9bUy1d/gq2n2PiM1BFZYKQvMGynB4f<br>
58NK8905TG1fveBUTouF/eNo2gmHj/uBuPJm<br>
g19lPm05tIK5OCCyD+D16K3IncQAjZUKjfcH<br>
bT5qE8KF/ofRaO7PgFn27KbQwtnky+F3PXgJ<br>
BkFIfkPJ8SFX6WSEaM8FsLojLDiJWllwnoJK<br>
Qf6S0Ot8M3yOIb2oKCT0tucB7znRdkm9EEY5<br>
oSe7waJRV+0sQL3rKhJePFVrd/AeTXY6ipaK<br>
kIjdEn+1DoxiBAy/E0uhJ18s16USrxcZSSUg<br>
D5GfeGeuLiT7f69a+g== )<br>
; pending-answer<br>
3179 DNSKEY 256 3 8 (<br>
AwEAAatbrQTiZd0FdSVbnkRFiU5jf9ACOPc4<br>
M0CK+G+Gla4gH3ClPunwqBJhvRtMkKdhGE93<br>
lMuzjNkGakBrkFvzwHtIw9pWLxum2Idysf+J<br>
xdhfSXNNYEzKcP0lCIjWf+iY2rtXoltVLxgT<br>
2skvDgmbwq+a3Cb/7CAB/SmFRCl8tQJ4YpJl<br>
kHiHPbWXljjiPWsj3/52hv45GHKQPi4vRzPe<br>
aw0=<br>
) ; ZSK; alg = RSASHA256
; key id = 54159<br>
3179 DNSKEY 257 3 8 (<br>
AwEAAe5RHQBesQeThYEf56TkLfF5NysJv/H4<br>
g1HeB7pnH25PsMVoVV/anWi7U3dSFsNzJ6nB<br>
HwY/sdmxJ/HLunC/mLSo8ugB6G+UgtAgnlL3<br>
u8Uq/3PYiBgpdNL+ldR0luV5WLAx8/1gG8JZ<br>
w3Zu9VhurHKdGZso5ajSTFwBiY39lA0wWeDO<br>
kZ2z/EV49JODt1i2N6KnvMTe5kD0qHXkP2oH<br>
xTWOlf5vqUcmJmgfvLlGB1ROBT84xCm45Sfx<br>
1U4FD8IPiOFrd9f/WcjPcW8MJFmzQmweVfKE<br>
pF28s+YZ5wKid3gYESvaCeSvj7FHzdVUCcVh<br>
Fr2+XHeB8O8GTLqk7HgfdM8=<br>
) ; KSK; alg = RSASHA256
; key id = 46144</font></p>
<p><br>
</p>
<p><br>
</p>
<pre class="moz-signature" cols="72">--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
<a class="moz-txt-link-abbreviated" href="mailto:John.Thurston@alaska.gov">John.Thurston@alaska.gov</a>
Department of Administration
State of Alaska</pre>
</body>
</html>