dnssec-analyzer.verisignlabs.com aaaa lookup fail
Lee
ler762 at gmail.com
Mon Apr 29 20:55:48 UTC 2024
On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote:
>
> It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is actually delegated to it.
>
> % dig dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all
> ;; BADCOOKIE, retrying.
>
> ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27
<.. snip lots ..>
> ;; AUTHORITY SECTION:
> com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. 2023030710 10800 3600 604800 60
I did a search for "this.name.is.invalid" and the only results I got
were for F5 support pages - eg.
The fix in BIG-IP DNS 14.1.0 introduces a new setting,
wideip-zone-nameserver, which defaults the WideIP zone nameserver to
this.name.is.invalid.
Wouldn't a badly configured F5 server be a better explanation?
Thanks
Lee
More information about the bind-users
mailing list