On Wed, Oct 03, 2012 at 04:26:33PM -0400, Wietse Venema wrote: > Bill Cole: > > ; <<>> DiG 9.9.1-P3 <<>> dfleur.com mx > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41183 > > How will I reproduce this quickly?
Comcast owns dnssec-failed.org, a zone set up with deliberately broken DNSSEC. If your nameserver is verifying signatures, you will get a SERVFAIL for any names in that zone. It's also easy to set up a zone locally to have a SERVFAIL result. Probably an invalid zone file is all it takes. Insert a record with an out-of-zone owner name. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
