Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

Thu Apr 15 00:00:05 UTC 2010

On 04/14/10 16:28, Roy Badami wrote:
>> Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and
>> I've seen no repeat of the DNSSEC name resolution issues so far; it's
>> early days yet (only been running DLV for three days) but certainly
>> looking promissing.
>
> I spoke too soon.  I've now found a query that (at least this evening)
> is consistently failing for me, even if I restart BIND.
>
> The following query gives me SERVFAIL
>
>    	dig www.bbc.net.uk aaaa
>
> But the following two queries work:
>
> 	dig www.bbc.net.uk a
>      	dig www.bbc.net.uk aaaa +cd

How does the last query "work"?  I consistently get a NOERROR using 
unbound as a validating resolver, and that's also what I get when 
querying the authoritative nameservers for bbc.net.uk.

I am easily able to replicate your results on my set-up.

I also get the following log from BIND: 14-Apr-2010 16:33:14.953 error 
(broken trust chain) resolving 'www.bbc.net.uk/AAAA/IN': 212.58.224.20#53

> This is particularly odd, because there is absolutely no DNSSEC
> involved here.  No domain above www.bbc.net.uk appears to be in the
> DLV registry, and BIND must be able to successfully verify the
> covering NSEC record that proves that in order to be willing to
> resolve the A query above.  So I can't immediately see any way this
> situation could arise except due to a BIND bug.
>
> Anyone else have an IPv6-connected BIND 9.7.0-P1 host with DLV enabled
> they can try this query on?

The authoritative DNS servers for bbc.net.uk appear to be kind of 
broken, in that they don't return authoritative NS records for 
bbc.net.uk, even when queried.  They do return an SOA record.  I think 
some of the goofiness may be due to that lack of authority records. 
Note that an authoritative BIND server will generally refuse to load a 
zone without NS records.

Also:

 > dig any bbc.net.uk @ns0.rbsov.bbc.co.uk

; <<>> DiG 9.7.0-P1 <<>> any bbc.net.uk @ns0.rbsov.bbc.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32624
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;bbc.net.uk.                    IN      ANY

;; ANSWER SECTION:
bbc.net.uk.             3600    IN      TXT     "BBC Intelligent Load 
Balancing Domain"
bbc.net.uk.             3600    IN      SOA     ns0e.rbsov.bbc.co.uk. 
bofh.bbc.co.uk. 1271235700 86400 86400 86400 300

;; Query time: 141 msec
;; SERVER: 212.58.227.47#53(212.58.227.47)
;; WHEN: Wed Apr 14 16:45:09 2010
;; MSG SIZE  rcvd: 148

Obviously, in addition to the lack of NS records, there are serious 
errors in the TXT record above, since the word "Intelligent" clearly 
does not belong there.

michael