On Tue, Oct 23, 2012 at 1:08 AM, Stephane Bortzmeyer <bortzme...@nic.fr>wrote:
> It may be a bug in BIND and it is certainly a bug in the zone > pcextreme.nl. > > BIND validating resolvers are unable to get the IP address of > v1.pcextreme.nl. > > I believe this is because of the strange NSEC: > > tools-newerst.pcextreme.nl. 2315 IN NSEC v2.pcextreme.nl. AAAA > RRSIG NSEC > > which says there is nothing between tools-newerst.pcextreme.nl and > v2.pcextreme.nl (and therefore no v1). > > This is inconsistent since there are also A and AAAA records for > v1.pcextreme.nl. > > The issue here is that no delegation NS records exist for v1.pcextreme.nlin its parent zone, pcextreme.nl. Thus when any server (authoritative for both zones) is queried for v1.pcextreme.nl/DS, NXDOMAIN is returned because there are no records by that name in the parent (no DS or NS). Because BIND looks upward for DS RRs after validating RRSIGs in v1.pcextreme.nl, it gets the NXDOMAIN response, which changes the cache's understandingof v1.pcextreme.nl--specifically that the name doesn't exist. The results from your resolver are reflecting that behavior. unbound perhaps handles authentication differently, e.g., top-down, so it doesn't ever perform the DS query and thus never receives NXDOMAIN for the name. See also the delegation warning at: http://dnsviz.net/d/v1.pcextreme.nl/UIY0lg/dnssec/ Casey
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
