Maintained by: NLnet Labs

[Unbound-users] SERVFAIL with *some* names in a DNSSEC+DLV signed zone

Stephane Bortzmeyer
Thu Aug 27 09:49:09 CEST 2009


On Tue, Jun 30, 2009 at 02:24:12PM +0200,
 W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote 
 a message of 71 lines which said:

> I think the problem is the recent NSEC+RRSIG parse bug I fixed.  In the
> ANY queries that is present and can lead to the problem, the bug is
> triggered based on ordering in the packet, and this causes the
> randomness for you.
> 
> So, it is fixed in subversion trunk and perhaps I should consider making
> a bugfix release :-)

I have a similar (?) problem with the 1.3.2 release.

% dig +dnssec AAAA ns-cm.ripe.net 
...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19685
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
...
ns-cm.ripe.net.         172417  IN      AAAA    2001:610:240:0:53:cc:12:38
...

(Same thing for A queries.)

% dig +dnssec ANY ns-cm.ripe.net   
...
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20929
...

Other names, like ns-co.ripe.net, work fine.