Thanks for the help. I guess it is time to move to 9.18. _________________________________________________________ Nicholas Miller, OIT, University of Colorado at Boulder
> On Sep 19, 2023, at 1:53 AM, Ondřej Surý <ond...@isc.org> wrote: > > [External Email - Use caution] > > >> On 19. 9. 2023, at 9:25, Petr Špaček <pspa...@isc.org> wrote: >> >> All can I tell you is "it works on my system" (with BIND, of course): > > I can reproduce this on BIND 9.16 (-c /dev/null as named.conf): > > ## BIND 9.19-dev > > 19-Sep-2023 09:33:51.633 validating pms.psc.gov/CNAME: no valid signature > found > 19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature found > 19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature > found > 19-Sep-2023 09:33:52.485 validating pms.ha.psc.gov/A: no valid signature found > > $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1 > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35947 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: 76cc17ac4ce491b901000000650950c533d1d3531585cef9 (good) > > ## BIND 9.18-dev > > 19-Sep-2023 09:36:10.717 validating pms.psc.gov/CNAME: no valid signature > found > 19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature found > 19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature > found > 19-Sep-2023 09:36:11.581 validating pms.ha.psc.gov/A: no valid signature found > > $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1 > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30482 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: f109de3980764a42010000006509507caea9fe0064088c8e (good) > > > ## BIND 9.16-dev > > 19-Sep-2023 09:37:17.685 validating pms.psc.gov/CNAME: no valid signature > found > 19-Sep-2023 09:37:27.685 query client=0x7f0b840013b0 > thread=0x7f0b8ed7b6c0(pms.ha.psc.gov/A): query_gotanswer: unexpected error: > timed out > > $ bin/dig/dig +short -p 12345 pms.psc.gov @127.0.0.1 > > $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1 > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45084 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: e5b154394f270022010000006509503c139afd80b72dd04a (good) > > Those servers are broken with QNAME minimization and should be fixed, but > as we changed the QNAME minimization algorithm to use NS records instead > of A records in BIND 9.18.17 and higher, it works now. > > I can confirm this works in BIND 9.18.17 and higher. And it's absolutely not > BIND 9's fault. > > Cheers, > -- > Ondřej Surý (He/Him) > ond...@isc.org > > My working hours and your working hours may be different. Please do not feel > obligated to reply outside your normal working hours. > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users