> On 19. 9. 2023, at 9:25, Petr Špaček <pspa...@isc.org> wrote: > > All can I tell you is "it works on my system" (with BIND, of course):
I can reproduce this on BIND 9.16 (-c /dev/null as named.conf): ## BIND 9.19-dev 19-Sep-2023 09:33:51.633 validating pms.psc.gov/CNAME: no valid signature found 19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature found 19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature found 19-Sep-2023 09:33:52.485 validating pms.ha.psc.gov/A: no valid signature found $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35947 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 76cc17ac4ce491b901000000650950c533d1d3531585cef9 (good) ## BIND 9.18-dev 19-Sep-2023 09:36:10.717 validating pms.psc.gov/CNAME: no valid signature found 19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature found 19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature found 19-Sep-2023 09:36:11.581 validating pms.ha.psc.gov/A: no valid signature found $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30482 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: f109de3980764a42010000006509507caea9fe0064088c8e (good) ## BIND 9.16-dev 19-Sep-2023 09:37:17.685 validating pms.psc.gov/CNAME: no valid signature found 19-Sep-2023 09:37:27.685 query client=0x7f0b840013b0 thread=0x7f0b8ed7b6c0(pms.ha.psc.gov/A): query_gotanswer: unexpected error: timed out $ bin/dig/dig +short -p 12345 pms.psc.gov @127.0.0.1 $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45084 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: e5b154394f270022010000006509503c139afd80b72dd04a (good) Those servers are broken with QNAME minimization and should be fixed, but as we changed the QNAME minimization algorithm to use NS records instead of A records in BIND 9.18.17 and higher, it works now. I can confirm this works in BIND 9.18.17 and higher. And it's absolutely not BIND 9's fault. Cheers, -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
