'error (chase DS servers)' for static-stub zones
Tony Finch
dot at dotat.at
Wed Feb 4 13:04:40 UTC 2015
Graham Clinch <g.clinch at lancaster.ac.uk> wrote:
>
> What does 'lame-servers: error (chase DS servers) resolving [...]'
> really mean, and is it really an error?
>
> It seems to be: pause the current resolution whilst I start another
> round to fetch a (DS) record from the parent zone, but once that
> completes, everything works out.
>
> In particular, I see this for the first resolution within a static-stub
> zone.
I am not getting this error in my logs. I have a number of static-stub
zones; the interesting ones wrt DS chasing are cam.ac.uk (signed) and
private.cam.ac.uk (unsigned).
My setup led to this change which appeared in 9.9.5:
3689. [bug] Fixed a bug causing an insecure delegation from one
static-stub zone to another to fail with a broken
trust chain. [RT #35081]
> I suppose that the usual process of resolution would involve iterating
> down and so any DS record(s) would come in from the parent whilst
> discovering the delegation NS records, but with static-stub there's no
> need to know the delegation NS records.
Sadly BIND does not make use of DS records in referrals and re-fetches
them explicitly.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Southeast Fitzroy: Northerly or northeasterly 6 to gale 8. Rough. Showers.
Good.
More information about the bind-users
mailing list