I prefer to only name and shame when I’m 100% sure of the target. -- Mark Andrews
> On 30 Apr 2024, at 06:56, Lee <ler...@gmail.com> wrote: > > On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote: >> >> It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it >> serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is >> actually delegated to it. >> >> % dig dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all >> ;; BADCOOKIE, retrying. >> >> ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com aaaa >> +trace +all >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498 >> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27 > <.. snip lots ..> > >> ;; AUTHORITY SECTION: >> com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. >> 2023030710 10800 3600 604800 60 > > I did a search for "this.name.is.invalid" and the only results I got > were for F5 support pages - eg. > The fix in BIG-IP DNS 14.1.0 introduces a new setting, > wideip-zone-nameserver, which defaults the WideIP zone nameserver to > this.name.is.invalid. > > Wouldn't a badly configured F5 server be a better explanation? > > Thanks > Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
