dnssec-analyzer.verisignlabs.com aaaa lookup fail
Mark Andrews
marka at isc.org
Tue Apr 30 06:40:32 UTC 2024
And it has been fixed.
% dig dnssec-analyzer.verisignlabs.com aaaa
;; BADCOOKIE, retrying.
; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer.verisignlabs.com aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9048
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 9fcb48e259ddaedd0100000066308ef2d1dcce4f0e1ca7fe (good)
;; QUESTION SECTION:
;dnssec-analyzer.verisignlabs.com. IN AAAA
;; ANSWER SECTION:
dnssec-analyzer.verisignlabs.com. 3600 IN CNAME dnssec-analyzer-verisignlabs.gslb.verisign.com.
;; AUTHORITY SECTION:
gslb.verisign.com. 60 IN SOA gslb.ilg1.verisign.com. hostmaster.gslb.ilg1.verisign.com. 2024041709 10800 3600 604800 60
;; Query time: 1155 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Tue Apr 30 16:25:54 AEST 2024
;; MSG SIZE rcvd: 203
%
> On 30 Apr 2024, at 06:55, Lee <ler762 at gmail.com> wrote:
>
> On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote:
>>
>> It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is actually delegated to it.
>>
>> % dig dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all
>> ;; BADCOOKIE, retrying.
>>
>> ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498
>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27
> <.. snip lots ..>
>
>> ;; AUTHORITY SECTION:
>> com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. 2023030710 10800 3600 604800 60
>
> I did a search for "this.name.is.invalid" and the only results I got
> were for F5 support pages - eg.
> The fix in BIG-IP DNS 14.1.0 introduces a new setting,
> wideip-zone-nameserver, which defaults the WideIP zone nameserver to
> this.name.is.invalid.
>
> Wouldn't a badly configured F5 server be a better explanation?
>
> Thanks
> Lee
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list