Problem resolving

Ondřej Surý ondrej at isc.org
Thu Sep 16 10:53:12 UTC 2021 

Hi Danilo,

there’s a misconfiguration on the verisigndns.com side (already reported to Verisign), where
ftp.rs.verisigndns.com is delegated (e.g. there’s the zonecut), but the child servers are configured
as authoritative for rs.verisigndns.com. If there was just a query for A record, it wouldn’t matter,
but AAAA query is triggering NODATA response which triggers the detection of mismatched SOA.

named correctly detects the misconfiguration and returns the SERVFAIL for the AAAA query.

Cheers,
Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org

> On 16. 9. 2021, at 11:42, Danilo Godec via bind-users <bind-users at lists.isc.org> wrote:
> 
> Hello,
> 
> 
> 
> I recently stumbled upon a problem trying to update my root hints file from ftp.rs.internic.net. For some reason, one of my DNS servers running on Alpine Linux, can't resolve this name properly and always fails:
> 
> # ping ftp.rs.internic.net
> 
> ping: 
> ftp.rs.internic.net
> : Try again
> 
> 
> nslookup starts off fine, it prints the A record, but then it fails to:
> # nslookup ftp.rs.internic.net
> 
> Server:         127.0.0.1
> Address:        127.0.0.1#53
> 
> Non-authoritative answer:
> 
> ftp.rs.internic.net     canonical name = ftp.rs.verisigndns.com
> .
> Name:   
> ftp.rs.verisigndns.com
> 
> Address: 69.58.179.79
> ** server can't find 
> ftp.rs.verisigndns.com
> : SERVFAIL
> 
> 
> 
> It seems the problem is with AAAA records, as apparently musl libc tries to resolve both A and AAAA record and fails if either of them are not available. Unfortunately, I couldn't find a way to configure the musl resolver not to try AAAA records.
> 
> Digging a bit deeper I found out that these queries cause BIND to log errors:
> 
> named[12737]: DNS format error from 185.100.2.22#53 resolving ftp.rs.verisigndns.com/AAAA for 127.0.0.1#39521: Name rs.verisigndns.com (SOA) not subdomain of zone ftp.rs.verisigndns.com
>  -- invalid response
> named[12737]: DNS format error from 72.13.39.22#53 resolving 
> ftp.rs.verisigndns.com/AAAA for 127.0.0.1#39521: Name rs.verisigndns.com (SOA) not subdomain of zone ftp.rs.verisigndns.com
>  -- invalid response
> named[12737]: DNS format error from 69.36.158.22#53 resolving 
> ftp.rs.verisigndns.com/AAAA for 127.0.0.1#39521: Name rs.verisigndns.com (SOA) not subdomain of zone ftp.rs.verisigndns.com
>  -- invalid response
> named[12737]: DNS format error from 199.16.87.22#53 resolving 
> ftp.rs.verisigndns.com/AAAA for 127.0.0.1#39521: Name rs.verisigndns.com (SOA) not subdomain of zone ftp.rs.verisigndns.com
>  -- invalid response
> 
> 
> 
> However, if I point the system resolver (or nslookup) to some other DNS (my ISP's DNS, for examle), neither ping or nslookup fail.
> 
> 
> 
> Is there anything I can do on my BIND to make musl libc happy and not fail in such a case? 
> 
> 
> 
>      Thanks,
> 
>     Danilo
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list