bind-users April 2010 archive
Main Archive Page > Month Archives  > bind-users archives
bind-users: Re: Intermittent failures resolving .org domains in

Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

From: Michael Sinatra <michael_at_nospam>
Date: Thu Apr 15 2010 - 00:00:05 GMT

On 04/14/10 16:28, Roy Badami wrote:
>> Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and
>> I've seen no repeat of the DNSSEC name resolution issues so far; it's
>> early days yet (only been running DLV for three days) but certainly
>> looking promissing.
> I spoke too soon. I've now found a query that (at least this evening)
> is consistently failing for me, even if I restart BIND.
> The following query gives me SERVFAIL
> dig aaaa
> But the following two queries work:
> dig a
> dig aaaa +cd

How does the last query "work"? I consistently get a NOERROR using
unbound as a validating resolver, and that's also what I get when
querying the authoritative nameservers for

I am easily able to replicate your results on my set-up.

I also get the following log from BIND: 14-Apr-2010 16:33:14.953 error
(broken trust chain) resolving '':

> This is particularly odd, because there is absolutely no DNSSEC
> involved here. No domain above appears to be in the
> DLV registry, and BIND must be able to successfully verify the
> covering NSEC record that proves that in order to be willing to
> resolve the A query above. So I can't immediately see any way this
> situation could arise except due to a BIND bug.
> Anyone else have an IPv6-connected BIND 9.7.0-P1 host with DLV enabled
> they can try this query on?

The authoritative DNS servers for appear to be kind of
broken, in that they don't return authoritative NS records for, even when queried. They do return an SOA record. I think
some of the goofiness may be due to that lack of authority records.
Note that an authoritative BIND server will generally refuse to load a
zone without NS records.


> dig any

; <<>> DiG 9.7.0-P1 <<>> any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32624
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available


;; ANSWER SECTION: 3600 IN TXT "BBC Intelligent Load
Balancing Domain" 3600 IN SOA 1271235700 86400 86400 86400 300

;; Query time: 141 msec
;; WHEN: Wed Apr 14 16:45:09 2010
;; MSG SIZE rcvd: 148

Obviously, in addition to the lack of NS records, there are serious
errors in the TXT record above, since the word "Intelligent" clearly
does not belong there.

bind-users mailing list