--- Begin Message ---
On 2024-07-29 13:58, Jared Mauch wrote:
On Sat, Jul 27, 2024 at 10:05:31AM +1000, Viktor Dukhovni wrote:
On Fri, Jul 26, 2024 at 04:53:10PM -0500, Richard Laager via dns-operations
wrote:
According to a BIND developer:
"simply by querying for cdc.gov/NS first and only then querying for
www.cdc.gov/A - the result will be a SERVFAIL... That's because the
authoritative server set is different in gov. and in cdc.gov. and, in
particular, all of the servers listed in the NS RRset at the child side of
the zone cut return REFUSED to all queries for akam.cdc.gov and its
subdomains. That's why as soon as a resolver caches the child-side NS
RRset, it will not be able to resolve anything inside the akam.cdc.gov zone"
This is correct, only the parent-side NS RRset includes nameservers that
are willing to delegate "akam.cdc.gov".
I would say that I lightly consider this a bug in dig which won't report
the response received:
I'm not following. dig _is_ reporting the response it gets, which is
REFUSED:
$ dig www.akam.cdc.gov A @ns1.cdc.gov | grep status
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37848
You are running something different when you use +trace, which depending
on the exact behavior of dig could work 2 out of 5 times, depending on
whether dig picks auth*.ns.uu.net or ns*.cdc.gov. That inconsistency is
the problem, which is why my example gives the more specific case of
querying ns1.cdc.gov to demonstrate that it refuses the query.
--
Richard
--- End Message ---
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
