unresolvable pms.psc.gov, but google/cloudflare/unbound work
Nicholas Miller
Nicholas.Miller at Colorado.EDU
Tue Sep 19 12:44:05 UTC 2023
Thanks for the help. I guess it is time to move to 9.18.
_________________________________________________________
Nicholas Miller, OIT, University of Colorado at Boulder
> On Sep 19, 2023, at 1:53 AM, Ondřej Surý <ondrej at isc.org> wrote:
>
> [External Email - Use caution]
>
>
>> On 19. 9. 2023, at 9:25, Petr Špaček <pspacek at isc.org> wrote:
>>
>> All can I tell you is "it works on my system" (with BIND, of course):
>
> I can reproduce this on BIND 9.16 (-c /dev/null as named.conf):
>
> ## BIND 9.19-dev
>
> 19-Sep-2023 09:33:51.633 validating pms.psc.gov/CNAME: no valid signature found
> 19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature found
> 19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature found
> 19-Sep-2023 09:33:52.485 validating pms.ha.psc.gov/A: no valid signature found
>
> $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35947
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 76cc17ac4ce491b901000000650950c533d1d3531585cef9 (good)
>
> ## BIND 9.18-dev
>
> 19-Sep-2023 09:36:10.717 validating pms.psc.gov/CNAME: no valid signature found
> 19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature found
> 19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature found
> 19-Sep-2023 09:36:11.581 validating pms.ha.psc.gov/A: no valid signature found
>
> $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30482
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: f109de3980764a42010000006509507caea9fe0064088c8e (good)
>
>
> ## BIND 9.16-dev
>
> 19-Sep-2023 09:37:17.685 validating pms.psc.gov/CNAME: no valid signature found
> 19-Sep-2023 09:37:27.685 query client=0x7f0b840013b0 thread=0x7f0b8ed7b6c0(pms.ha.psc.gov/A): query_gotanswer: unexpected error: timed out
>
> $ bin/dig/dig +short -p 12345 pms.psc.gov @127.0.0.1
>
> $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45084
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: e5b154394f270022010000006509503c139afd80b72dd04a (good)
>
> Those servers are broken with QNAME minimization and should be fixed, but
> as we changed the QNAME minimization algorithm to use NS records instead
> of A records in BIND 9.18.17 and higher, it works now.
>
> I can confirm this works in BIND 9.18.17 and higher. And it's absolutely not
> BIND 9's fault.
>
> Cheers,
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
>
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list