Maintained by: NLnet Labs

[Unbound-users] Broken DNS or broken Unbound?

Anand Buddhdev
Sat Dec 17 01:04:11 CET 2011


On 16/12/2011 19:32, Mike Cardwell wrote:

> Can anyone explain what is going on with the domain matt.io? I'm
> running Unbound 1.4.9 and have it set up to do DNSSEC validation.
> "dig matt.io" SERVFAIL's, however "dig +cd matt.io" works fine.
> This domain doesn't have DNSSEC on it though... I also noticed that
> when I attempt to look up the NS records, all it returns is a
> CNAME. Is that valid?
> 
> Is matt.io's DNS configuration broken, or is Unbound broken?

Hi Mike,

The DNS setup of matt.io is broken. They've made the well-known
mistake of mixing a CNAME record with other records:

; <<>> DiG 9.7.3-P3 <<>> +norec ns matt.io @DNS1.NAME-SERVICES.COM
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17082
;; flags: qr aa; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 5

;; QUESTION SECTION:
;matt.io.			IN	NS

;; ANSWER SECTION:
matt.io.		1800	IN	CNAME	eb.blagomatic.com.
matt.io.		3600	IN	NS	dns1.name-services.com.
matt.io.		3600	IN	NS	dns2.name-services.com.
matt.io.		3600	IN	NS	dns3.name-services.com.
matt.io.		3600	IN	NS	dns4.name-services.com.
matt.io.		3600	IN	NS	dns5.name-services.com.

Regards,

Anand Buddhdev
RIPE NCC