On Thu, Apr 22, 2010 at 11:17 AM, Nate Itkin <bind-us...@konadogs.net>wrote:
> > Not specifically, but I log a lot of errors resolving in usps.gov. USPS > clearly has configuration issues. A representative sample from my logs: > > 19-Apr-2010 11:04:23.072 lame-servers: no valid RRSIG resolving ' > EGQ1REIRR8NVE4U6I97RO3PC2CRUU1A5.usps.gov/DS/IN': 56.0.82.25#53 > 19-Apr-2010 11:04:24.099 lame-servers: no valid RRSIG resolving ' > samtcatwe0d3.usps.gov/DS/IN': 56.0.82.25#53 > 19-Apr-2010 11:04:24.890 lame-servers: no valid DS resolving ' > samtcatwe0d3.usps.gov/AAAA/IN': 56.0.100.25#53 > 19-Apr-2010 11:04:27.975 lame-servers: no valid NSEC resolving ' > samtcatwe0d3.usps.gov/MX/IN': 56.0.100.25#53 > > The usps.gov servers are not returning all the appropriate RRSIGs to cover the NSEC3 RRs returned for denial of existence. This is consistent with all their servers. $ dig @dns100.usps.com +dnssec usps.gov aaaa ; <<>> DiG 9.6.1-P3 <<>> @dns100.usps.com +dnssec usps.gov cname ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40506 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;usps.gov. IN CNAME ;; AUTHORITY SECTION: usps.gov. 1800 IN SOA dns141.usps.com. domainadmin.imail.usps.gov. 285717992 3600 1800 1209600 1800 usps.gov. 1800 IN RRSIG SOA 7 2 3600 20100502025431 20100422015431 43133 usps.gov. grQ5+JGDwezIsv2g5jAEXARLnW/leCieA/13Uxt8zZVZmUlozObsxHEo r3NuB1cF9MOg1NppkJbwKswC4AFg1lT9RZ3hAVEvFL4clLzgFYUlEmpN 3hdqJ+1ZO05zramz9loaP1TWcJPSUtLosFQaD4OuJHimxCxmMk0Qnke5 EAs= EGQ1REIRR8NVE4U6I97RO3PC2CRUU1A5.usps.gov. 1800 IN NSEC3 1 0 100 - EHU10MMN93MNBII1G8R5MUSB0EKKKFPK NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM TYPE65534 Casey
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
