Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
Paul Wouters
paul at xelerance.com
Mon Mar 29 13:19:53 UTC 2010
On Mon, 29 Mar 2010, Matthew Pounsett wrote:
> On 2010/03/28, at 18:48, Roy Badami wrote:
>
>> configured). The queries are resulting in SERVFAIL, and I'm pretty
>> sure the failures are DNSSEC-related, as when I've seen problems as
>> they occur (dig failing from the command line) then repeating the
>> query with the CD bit allowed it to succeed.
>
> It looks to me like your example, freebsd.org, is insecure.
I have seen this happen when bind for some reason (eg mtu issues with
vpn) cannot query for the DLV key at dlv.isc.org. I have not figured
out the exact failure mode there. Check the logs to see errors for DNSKEY
queries for dlv.isc.org to see if this is happening here too. However in
that case, no queries at all make it.
Paul
More information about the bind-users
mailing list