Laurent Bigonville <bigon+b...@bigon.be> wrote: > > With bind9 server (I can reproduce that on RHEL7 with 9.9.4, debian stable > with 9.10.3 and also debian unstable with 9.11.4) when doing "dig ds > c10r.facebook.com @10.122.17.186", I get a SERVFAIL.
This is because the authoritative servers for facebook.com do not implement any DNSSEC, so they don't know that DS records are found on the parent side of a zone cut, so they return a referral instead of a negative answer. BIND treats this as a server failure, and does not attempt to work around the antediluvian ignorance of the auth servers. In practice it shouldn't matter since there shouldn't be any signed zones underneath a server that doesn't know about DNSSEC. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Viking, North Utsire: Cyclonic, becoming northerly, 3 or 4, occasionally 5 at first. Slight or moderate. Rain until later. Moderate or poor, occasionally good later. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
