> > dig www.bbc.net.uk aaaa +cd
>
> How does the last query "work"?
What I meant by that, in case it wasn't clear, was that setting the CD
flag in the query caused it query to succeed, hence strongly
suggesting that the cause of the failure in the original query was
related to DNSSEC validation. I'm sure my BIND would have logged
something as useful as your BIND did if I had set up logging
correctly, but I'm afraid I've always found BIND 9 logging
configuration to be rather inscrutible...
Thanks for the response, in any case. The oddities you've identified
may well be the reason why this is consistently failing, but I've seen
superficially similar (though intermittent) failures to resolve
domains under freebsd.org and isc.org under 9.7.0 (which was my
original post) so I think the underlying bug can manifest even for
conformant nameservers.
I've received a private mail from someone at ISC asking me to try a
suggested patch so there's probably little point in investigating
further until I've had to opportunity to see what effect that has.
And just for comleteness (although I don't think there would be any
real doubt about this), I've now commened out again from my config the
line
dnssec-lookaside auto;
and the query mentioned now resolves correctly.
-roy
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
