dig ds c10r.facebook.com returns SERVFAIL
Tony Finch
dot at dotat.at
Mon Sep 3 19:03:50 UTC 2018
Laurent Bigonville <bigon+bind at bigon.be> wrote:
>
> With bind9 server (I can reproduce that on RHEL7 with 9.9.4, debian stable
> with 9.10.3 and also debian unstable with 9.11.4) when doing "dig ds
> c10r.facebook.com @10.122.17.186", I get a SERVFAIL.
This is because the authoritative servers for facebook.com do not
implement any DNSSEC, so they don't know that DS records are found on the
parent side of a zone cut, so they return a referral instead of a negative
answer. BIND treats this as a server failure, and does not attempt to work
around the antediluvian ignorance of the auth servers. In practice it
shouldn't matter since there shouldn't be any signed zones underneath a
server that doesn't know about DNSSEC.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Viking, North Utsire: Cyclonic, becoming northerly, 3 or 4, occasionally 5 at
first. Slight or moderate. Rain until later. Moderate or poor, occasionally
good later.
More information about the bind-users
mailing list