Answers for www.dnssec-failed.org with dnssec-validation auto;
John Thurston
john.thurston at alaska.gov
Tue Apr 16 23:41:57 UTC 2024
I'm seeing strange behavior with a BIND 9.18.24 resolver and
dnssec-failed.org.
With no dnssec-validation line (or with "dnssec-validation auto") in the
.conf, querying for www.dnssec-failed.org returns SERVFAIL, as expected
. . until it doesn't. After several seconds of answering SERVFAIL, I
start getting NOERROR responses, and IP addresses in the ANSWER. It
isn't a predictable number of seconds; sometimes 9, sometimes 20.
Is this supposed to be happening?
When I examine the process with delv and my eyeballs, I can't see why it
is succeeding with dig and my validating resolver.
Maybe I'm not looking for the right things with my eyeballs? I'm
stumped, and looking for advice for nest-steps in understanding what's
going on.
The following one-liner:
# rndc flush && while true; do dig -4 www.dnssec-failed.org. A
@localhost; sleep 1; done
Results in answers like:
> ; <<>> DiG 9.18.24 <<>> -4 www.dnssec-failed.org. A @localhost
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62774
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 9fd5ae2d4566c51d01000000661f07f2bfc240421b91f851 (good)
> ;; QUESTION SECTION:
> ;www.dnssec-failed.org. IN A
>
> ;; Query time: 237 msec
> ;; SERVER: 127.0.0.1#53(localhost) (UDP)
> ;; WHEN: Tue Apr 16 15:21:22 AKDT 2024
> ;; MSG SIZE rcvd: 78
>
>
> ; <<>> DiG 9.18.24 <<>> -4 www.dnssec-failed.org. A @localhost
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7693
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 90175bca7b323c8301000000661f07f3467dc5a561eb4f77 (good)
> ;; QUESTION SECTION:
> ;www.dnssec-failed.org. IN A
>
> ;; Query time: 1 msec
> ;; SERVER: 127.0.0.1#53(localhost) (UDP)
> ;; WHEN: Tue Apr 16 15:21:23 AKDT 2024
> ;; MSG SIZE rcvd: 78
--- after ~20 more like those ---
> ; <<>> DiG 9.18.24 <<>> -4 www.dnssec-failed.org. A @localhost
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34572
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 60f5a11077dc972401000000661f0809905b6096fd5e287a (good)
> ;; QUESTION SECTION:
> ;www.dnssec-failed.org. IN A
>
> ;; ANSWER SECTION:
> www.dnssec-failed.org. 7199 IN A 68.87.109.242
> www.dnssec-failed.org. 7199 IN A 69.252.193.191
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(localhost) (UDP)
> ;; WHEN: Tue Apr 16 15:21:45 AKDT 2024
> ;; MSG SIZE rcvd: 110
>
>
> ; <<>> DiG 9.18.24 <<>> -4 www.dnssec-failed.org. A @localhost
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2987
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 89a4502552606c3701000000661f080a5dd5f9299ddb95fe (good)
> ;; QUESTION SECTION:
> ;www.dnssec-failed.org. IN A
>
> ;; ANSWER SECTION:
> www.dnssec-failed.org. 7198 IN A 68.87.109.242
> www.dnssec-failed.org. 7198 IN A 69.252.193.191
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(localhost) (UDP)
> ;; WHEN: Tue Apr 16 15:21:46 AKDT 2024
> ;; MSG SIZE rcvd: 110
--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240416/7c0c8e0b/attachment-0001.htm>
More information about the bind-users
mailing list