On 3/09/18 21:03, Tony Finch wrote:
Laurent Bigonville <bigon+b...@bigon.be> wrote:
With bind9 server (I can reproduce that on RHEL7 with 9.9.4, debian stable
with 9.10.3 and also debian unstable with 9.11.4) when doing "dig ds
c10r.facebook.com @10.122.17.186", I get a SERVFAIL.
This is because the authoritative servers for facebook.com do not
implement any DNSSEC, so they don't know that DS records are found on the
parent side of a zone cut, so they return a referral instead of a negative
answer. BIND treats this as a server failure, and does not attempt to work
around the antediluvian ignorance of the auth servers. In practice it
shouldn't matter since there shouldn't be any signed zones underneath a
server that doesn't know about DNSSEC.
The problem is that systemd-resolved (maybe other software are doing the
same?) is asking the DS record to check if the record is supposed to be
signed (well I think) before trying to do DNSSEC validation of the
client side.
I'm also wondering (and pardon my ignorance but), why does bind tries
all the forwarders and the the auth server if the 1st server already
reply with an empty answer and an NOERROR?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
