dnssec-analyzer.verisignlabs.com aaaa lookup fail
Mark Andrews
marka at isc.org
Mon Apr 29 21:13:19 UTC 2024
I prefer to only name and shame when I’m 100% sure of the target.
--
Mark Andrews
> On 30 Apr 2024, at 06:56, Lee <ler762 at gmail.com> wrote:
>
> On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote:
>>
>> It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is actually delegated to it.
>>
>> % dig dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all
>> ;; BADCOOKIE, retrying.
>>
>> ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498
>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27
> <.. snip lots ..>
>
>> ;; AUTHORITY SECTION:
>> com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. 2023030710 10800 3600 604800 60
>
> I did a search for "this.name.is.invalid" and the only results I got
> were for F5 support pages - eg.
> The fix in BIG-IP DNS 14.1.0 introduces a new setting,
> wideip-zone-nameserver, which defaults the WideIP zone nameserver to
> this.name.is.invalid.
>
> Wouldn't a badly configured F5 server be a better explanation?
>
> Thanks
> Lee
More information about the bind-users
mailing list