dnssec-analyzer.verisignlabs.com aaaa lookup fail

Lee ler762 at gmail.com
Mon Apr 29 19:56:30 UTC 2024 

On Sun, Apr 28, 2024 at 2:18 AM Walter H. wrote:
>
> On 27.04.2024 16:54, Lee wrote:
> > On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind-users
> > <bind-users at lists.isc.org> wrote:
> >> # host dnssec-analyzer.verisignlabs.com
> >> dnssec-analyzer.verisignlabs.com is an alias for
> >> dnssec-analyzer-gslb.verisignlabs.com.
> >> dnssec-analyzer-gslb.verisignlabs.com has address 209.131.158.42
> >>
> > Right, the IPv4 address lookup works.  Now try looking up the IPv6 address.
>
> if there was one it would be presented there

 Try this:

$ dig www.github.com aaaa

; <<>> DiG 9.16.48-Debian <<>> www.github.com aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45964
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
; COOKIE: 6e0635047fb42cbf01000000662ff80b95c1aaed2c48a54b (good)
;; QUESTION SECTION:
;www.github.com.                        IN      AAAA

;; ANSWER SECTION:
www.github.com.         3600    IN      CNAME   github.com.

;; AUTHORITY SECTION:
github.com.             3600    IN      SOA     dns1.p08.nsone.net.
hostmaster.nsone.net. 1656468023 43200 7200 1209600 3600


The query status is NOERROR.  Compare that to

$ dig dnssec-analyzer-gslb.verisignlabs.com aaaa

; <<>> DiG 9.16.48-Debian <<>> dnssec-analyzer-gslb.verisignlabs.com aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18045
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
; COOKIE: 8dca27caaec9a47401000000662ff8ad9cc9bff9bf779d54 (good)
;; QUESTION SECTION:
;dnssec-analyzer-gslb.verisignlabs.com. IN AAAA

where the query status is SERVFAIL.

OK.. noerr vs. servfail doesn't make all that much difference to me,
but I *would* like to understand why looking ip the IPv6 address for
that name gives me an error.
I'm still operating under the (increasingly looking like it's
delusional) assumption that I should be able to understand this stuff.

> this can't be a matter of DNSSEC, as there are only signed whole zones
> and not just single DNS-records ...

I dunno.  I've seen some weird stuff with servers on AWS not resolving
IPv6 addresses but having a CNAME pointing outside the zone.
Which I don't understand, but at least it doesn't return an error so I
just chalked it up to them deciding that supporting IPv6 was too much
of a pain.

Regards,
Lee

More information about the bind-users mailing list