unresolvable pms.psc.gov, but google/cloudflare/unbound work
Ondřej Surý
ondrej at isc.org
Tue Sep 19 07:53:10 UTC 2023
> On 19. 9. 2023, at 9:25, Petr Špaček <pspacek at isc.org> wrote:
>
> All can I tell you is "it works on my system" (with BIND, of course):
I can reproduce this on BIND 9.16 (-c /dev/null as named.conf):
## BIND 9.19-dev
19-Sep-2023 09:33:51.633 validating pms.psc.gov/CNAME: no valid signature found
19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature found
19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature found
19-Sep-2023 09:33:52.485 validating pms.ha.psc.gov/A: no valid signature found
$ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35947
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 76cc17ac4ce491b901000000650950c533d1d3531585cef9 (good)
## BIND 9.18-dev
19-Sep-2023 09:36:10.717 validating pms.psc.gov/CNAME: no valid signature found
19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature found
19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature found
19-Sep-2023 09:36:11.581 validating pms.ha.psc.gov/A: no valid signature found
$ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30482
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f109de3980764a42010000006509507caea9fe0064088c8e (good)
## BIND 9.16-dev
19-Sep-2023 09:37:17.685 validating pms.psc.gov/CNAME: no valid signature found
19-Sep-2023 09:37:27.685 query client=0x7f0b840013b0 thread=0x7f0b8ed7b6c0(pms.ha.psc.gov/A): query_gotanswer: unexpected error: timed out
$ bin/dig/dig +short -p 12345 pms.psc.gov @127.0.0.1
$ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45084
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e5b154394f270022010000006509503c139afd80b72dd04a (good)
Those servers are broken with QNAME minimization and should be fixed, but
as we changed the QNAME minimization algorithm to use NS records instead
of A records in BIND 9.18.17 and higher, it works now.
I can confirm this works in BIND 9.18.17 and higher. And it's absolutely not
BIND 9's fault.
Cheers,
--
Ondřej Surý (He/Him)
ondrej at isc.org
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
More information about the bind-users
mailing list