Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
Roy Badami
roy at gnomon.org.uk
Mon Mar 29 10:04:39 UTC 2010
> It looks to me like your example, freebsd.org, is insecure.
Yes, I agree freebsd.org is insecure, but I still want to be able to
resolve it :-)
.org is signed with NSEC3 and (I think, but could be misremembering)
is using opt-out. org is registered in DLV, so BIND still has to do
some work to verify that nothing is amiss with the (insecure)
delegation. If it can't verify that it is correct for freebsd.org to
be insecure then it would be correct for it to fail resolution.
As I say the failures are intermittent - sometimes freebsd.org
resolves fine - sometimes it fails.
I don't think this is specific to freebsd.org, and problably not even
to .org - .org is just one of the higher-profile DNSSEC-signed TLDs.
-roy
More information about the bind-users
mailing list