SERVFAIL from validating nameservers for advocaat.pro & advocaten.pro
Chris Thompson
cet1 at cam.ac.uk
Sat Feb 7 17:58:46 UTC 2009
On Feb 6 2009, Mark Andrews wrote:
>In message <Prayer.1.3.1.0902051754210.4908 at hermes-2.csi.cam.ac.uk>,
>Chris Thompson writes:
[...]
>> More info about the "not consistently" bit. With nothing about
>> them in the cache ("rndc flushname advocaat.pro") looking up SOA or
>> NS records for them gives SERVFAIL. But looking up A records does
>> not, and after that SOA and NS lookups work OK as well.
>>
>> Hmmm...
>
> The TLD lies. DNSSEC is doing exactly what it is
> supposed to do and is blocking ibad answers.
>
> Mark
>
>; <<>> DiG 9.3.6-P1 <<>> advocaat.pro soa @c.gtld.pro +dnssec
>;; global options: printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29667
>;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;advocaat.pro. IN SOA
>
>;; AUTHORITY SECTION:
>pro. 14400 IN SOA a.gtld.pro.
>hostmaster.registrypro.pro. 2009020518 28800 7200 604800 300
Ah, yes -- many thanks for the elucidation.
Indeed, looking up SOA for advocaat.pro via a non-validating nameserver
(without it having already discovered the NS records for it) believes
this crap and reports it back to the caller.
The nameservers for "pro" seem to have some very odd bugs:
* asked about the SOA for a sub-zone, they authoritatively deny its
existence, as above.
* asked about NS records for a sub-zone, they return the delegation
set as the _answer_. That's also true of the *.gtld-servers.net lot,
but these are worse, because unlike them they claim the answer is
authoritative.
* even when they do give a referral, it is marked authoritative.
One hardly dares to ask how they achieve all this ...
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list