dnssec-analyzer.verisignlabs.com aaaa lookup fail

Mark Andrews marka at isc.org
Tue Apr 30 06:40:32 UTC 2024 

And it has been fixed.

% dig dnssec-analyzer.verisignlabs.com aaaa
;; BADCOOKIE, retrying.

; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer.verisignlabs.com aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9048
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 9fcb48e259ddaedd0100000066308ef2d1dcce4f0e1ca7fe (good)
;; QUESTION SECTION:
;dnssec-analyzer.verisignlabs.com. IN AAAA

;; ANSWER SECTION:
dnssec-analyzer.verisignlabs.com. 3600 IN CNAME dnssec-analyzer-verisignlabs.gslb.verisign.com.

;; AUTHORITY SECTION:
gslb.verisign.com. 60 IN SOA gslb.ilg1.verisign.com. hostmaster.gslb.ilg1.verisign.com. 2024041709 10800 3600 604800 60

;; Query time: 1155 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Tue Apr 30 16:25:54 AEST 2024
;; MSG SIZE  rcvd: 203

% 

> On 30 Apr 2024, at 06:55, Lee <ler762 at gmail.com> wrote:
> 
> On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote:
>> 
>> It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is actually delegated to it.
>> 
>> % dig dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all
>> ;; BADCOOKIE, retrying.
>> 
>> ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498
>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27
>      <.. snip lots ..>
> 
>> ;; AUTHORITY SECTION:
>> com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. 2023030710 10800 3600 604800 60
> 
> I did a search for "this.name.is.invalid" and the only results I got
> were for F5 support pages - eg.
>  The fix in BIG-IP DNS 14.1.0 introduces a new setting,
> wideip-zone-nameserver, which defaults the WideIP zone nameserver to
> this.name.is.invalid.
> 
> Wouldn't a badly configured F5 server be a better explanation?
> 
> Thanks
> Lee

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list