Maintained by: NLnet Labs

[Unbound-users] Parent child disagreement problem

Paul Wouters
Thu May 13 15:26:22 CEST 2010


On Thu, 13 May 2010, Mike Emigh wrote:

> We ran across a new problem in what appears to be parent-child
> disagreement on version 1.4.4.  The resolution appears to work as
> expected when digging for A records in the domain, but if you first
> dig for the NS (starting with an empty cache), then subsequent A
> record lookups fail.

> If you dig safesvc.gov.cn NS, it returns an invalid response:
>
> ;; ANSWER SECTION:
> safesvc.gov.cn.         3600    IN      NS      netdns.
>
> Then trying to resolve an A record from this domain results in a SERVFAIL:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1462

I did this against a non-dnssec bind, and it produced the same result.

> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.safesvc.gov.cn.            IN      A
>
> The A query appears to work as expected if the you never issue the
> 'dig safesvc.gov.cn NS' command.

Except I always get a servfail for www.safesvc.gov.cn.

The domain is pretty broken:

$ dnscheck safesvc.gov.cn.
   0.000: safesvc.gov.cn. INFO Begin testing zone safesvc.gov.cn. with version 0.93_01.
   0.000: safesvc.gov.cn. INFO Begin testing delegation for safesvc.gov.cn..
   9.067: safesvc.gov.cn. INFO Name servers listed at parent: netdns.safesvc.com.cn
   9.387: safesvc.gov.cn. ERROR No name servers found at child.
   9.387: safesvc.gov.cn. ERROR Superfluous name server listed at parent: netdns.safesvc.com.cn
   9.388: safesvc.gov.cn. ERROR Too few name servers (0).
   9.388: safesvc.gov.cn. INFO Done testing delegation for safesvc.gov.cn..
   9.388: safesvc.gov.cn. CRITICAL Fatal error in delegation for zone safesvc.gov.cn..
   9.388: safesvc.gov.cn. INFO Test completed for zone safesvc.gov.cn..
$