dnssec-analyzer.verisignlabs.com aaaa lookup fail
Lee
ler762 at gmail.com
Mon Apr 29 21:40:08 UTC 2024
On Mon, Apr 29, 2024 at 5:13 PM Mark Andrews wrote:
>
> I prefer to only name and shame when I’m 100% sure of the target.
I was only trying to understand why I was getting a SERVFAIL, there
was no intention to name & shame.
Regards,
Lee
"name & shame" was not my intent.
>
> --
> Mark Andrews
>
> > On 30 Apr 2024, at 06:56, Lee <ler762 at gmail.com> wrote:
> >
> > On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote:
> >>
> >> It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is actually delegated to it.
> >>
> >> % dig dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all
> >> ;; BADCOOKIE, retrying.
> >>
> >> ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498
> >> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27
> > <.. snip lots ..>
> >
> >> ;; AUTHORITY SECTION:
> >> com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. 2023030710 10800 3600 604800 60
> >
> > I did a search for "this.name.is.invalid" and the only results I got
> > were for F5 support pages - eg.
> > The fix in BIG-IP DNS 14.1.0 introduces a new setting,
> > wideip-zone-nameserver, which defaults the WideIP zone nameserver to
> > this.name.is.invalid.
> >
> > Wouldn't a badly configured F5 server be a better explanation?
> >
> > Thanks
> > Lee
>
More information about the bind-users
mailing list