Maintained by: NLnet Labs

[Unbound-users] Parent child disagreement problem

Dustin Marquess
Thu May 13 16:37:20 CEST 2010


Not sure if it's similar, but the wife was trying to go to one of those
designer check places that always sends you junk in the mail... in this case
www.checksunlimited.com.

Lookups always SERVFAIL for the domain checksunlimited.com.  Running unbound
in debug, it always sets the results to THROWAWAY.  I tried to debug it, but
it quickly went over my head.

Went back to my old dnscache setup that unbound replaced, and it worked fine
:(.

-Dustin

On Thu, May 13, 2010 at 8:26 AM, Paul Wouters <paul at xelerance.com> wrote:

> On Thu, 13 May 2010, Mike Emigh wrote:
>
>  We ran across a new problem in what appears to be parent-child
>> disagreement on version 1.4.4.  The resolution appears to work as
>> expected when digging for A records in the domain, but if you first
>> dig for the NS (starting with an empty cache), then subsequent A
>> record lookups fail.
>>
>
>  If you dig safesvc.gov.cn NS, it returns an invalid response:
>>
>> ;; ANSWER SECTION:
>> safesvc.gov.cn.         3600    IN      NS      netdns.
>>
>> Then trying to resolve an A record from this domain results in a SERVFAIL:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1462
>>
>
> I did this against a non-dnssec bind, and it produced the same result.
>
>
>  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;www.safesvc.gov.cn.            IN      A
>>
>> The A query appears to work as expected if the you never issue the
>> 'dig safesvc.gov.cn NS' command.
>>
>
> Except I always get a servfail for www.safesvc.gov.cn.
>
> The domain is pretty broken:
>
> $ dnscheck safesvc.gov.cn.
>  0.000: safesvc.gov.cn. INFO Begin testing zone safesvc.gov.cn. with
> version 0.93_01.
>  0.000: safesvc.gov.cn. INFO Begin testing delegation for safesvc.gov.cn..
>  9.067: safesvc.gov.cn. INFO Name servers listed at parent:
> netdns.safesvc.com.cn
>  9.387: safesvc.gov.cn. ERROR No name servers found at child.
>  9.387: safesvc.gov.cn. ERROR Superfluous name server listed at parent:
> netdns.safesvc.com.cn
>  9.388: safesvc.gov.cn. ERROR Too few name servers (0).
>  9.388: safesvc.gov.cn. INFO Done testing delegation for safesvc.gov.cn..
>  9.388: safesvc.gov.cn. CRITICAL Fatal error in delegation for zone
> safesvc.gov.cn..
>  9.388: safesvc.gov.cn. INFO Test completed for zone safesvc.gov.cn..
>
> $
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20100513/3816f349/attachment.htm>