Yep, some people just don’t take care with delegations. Complain to Huawei. Complain to the other companies you list in your followup email.
All it takes to fix this is to change the name of the zone on the child servers (ns3.dnsv5.com, gns1.huaweicloud-dns.org and ns4.dnsv5.com) from “huawei.com” to “cloud.huawei.com” and perhaps adjust the NS and SOA records for the zone if they are fully qualified. If there are other delegations from huawei.com for other sub zones to these servers they will also need to be instantiated. It’s maybe 10 minute work for each subdomain to fix. It just requires someone to do the work. This is a very old (last millennia) mis configuration method used by people who want to avoid doing delegations. Domain name speculators used to do this using “com” or even “.” as the zone name and wildcard A records to provide A answers for the zones delegated to the server. It “works” if all you return is positive answers but that hasn’t been true since IPv6 came into existence. e.g. "*. A <webserver-address>” When people come to you and say that it works with Google, et al. point them at https://dnsviz.net/d/cloud.huawei.com/dnssec/ which reports this error and say “Here is a DNS configuration testing site and it reports the zone as broken, you need to take it up with the company." Mark > On 2 Jun 2023, at 00:58, Jesus Cea <j...@jcea.es> wrote: > > I am getting errors "Name huawei.com (SOA) not subdomain of zone > cloud.huawei.com". The problem raises when requesting AAAA on > oauth-login.cloud.huawei.com . The problem was described in the mailing list: > > https://lists.isc.org/pipermail/bind-users/2021-January/104064.html > > BIND is replying with a SERVFAIL. This is correct and appropriate. > Nevertheless resolvers like 8.8.8.8, 1.1.1.1, 9.9.9.9 and many (most) other > are not doing that SOA verification, so for users we are the guilty, not > Huawey, because "using Google it works!". In fact, we have a big customer > phone app failing because of this (yes, this seems to be a bug with that app > but, again, "with google it works!"). > > What can we do? Is possible to disable that check in bind? > > We are using 9.16. We could upgrade to 9.18, if needed. > > Thanks. > > -- > Jesús Cea Avión _/_/ _/_/_/ _/_/_/ > j...@jcea.es - https://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ > Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ > jabber / xmpp:j...@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ > "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ > "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ > "El amor es poner tu felicidad en la felicidad de otro" - Leibniz > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
