Maintained by: NLnet Labs

[Unbound-users] Inconsistent problems when resolving www.ratp.fr

W.C.A. Wijngaards
Wed Dec 12 10:39:30 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephane,

On 12/12/2012 09:53 AM, Stephane Bortzmeyer wrote:
> On Tue, Dec 11, 2012 at 11:57:29AM +0100, Stephane Bortzmeyer
> <bortzmeyer at nic.fr> wrote a message of 28 lines which said:
> 
>> When trying to get the IP address of www.ratp.fr, Unbound has an 
>> inconsistent behaviour. Sometimes, it works, sometimes it
>> servfails.
> 
> After more investigation:
> 
> * the domain is delegated to two broken Web load balancers,
> probably Radware Alteon (tested with another Alteon boxes) * a DANE
> extension is installed in my Firefox and sends requests for 
> _443._tcp.www.ratp.fr * The incorrect response to these requests
> (NXDOMAIN but without a SOA) seems to trigger the problem

This should become a low-TTL NXDOMAIN for unbound.  Do you have
harden-nxdomain enabled?  If so, the NXDOMAIN response stops queries
underneath it.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQyFDSAAoJEJ9vHC1+BF+NRLsP/i882mJe2gdFWQmnJzeReKfl
XIvYPjEchnUE9taxizpenO6mUYiJPU+F9ZiBffo9zC/drk57xsDky8xn1Z/i10BF
+808+cmU/8RwEoApXi+D5qbixU2dskONpoTp97qoEGCZVaDgJ54bEOYSVPLILpGL
SL/OrpOo9BdZqjSZJbg9SbuzbWbyzkPEBiUm+rli0cFPKlMCQE5pbrfKupdnVRlX
xXuldOLKG3WsvFgFk7JH8/ZUHbjeh2uAhhaFlSuv9Pvi02isAoMcXvlWlEtThssn
Yuy/0pIQKz7V0sZ/zai3cDM6NHX8oy26QDfWapv1kT/C9//iqqG9GYHlT+bQJMPa
SHG9YgsV8peAVqZoe2MtUlXtOXsBuiwNR8VO/e7xjhqFH5avufV2brzdTTSD7Kyz
RrUJuG88X+deAjrnPLhzqrS3/89mQ2EPz25IlBmCTV9mkhw3xiz1KumRp6X6OYNw
E++hh0Bz7Uyag3U7Pht3Md+d9iQuMugxLW/LV5BE8Fsa7ciowv/T52n9XQdQIaB0
Pdv4CAQFgdUYiXkZ7u2ve2kfwkTjpzNyGm+HDnBpkJrKiAuVdsyY+tBsq81nT+Fp
fccyl+Y5y8iFjwQcAm5akHsTm5l8lLNz1qXW7HOToUt/kjPi1FJiQccfytszPdMm
m98heyw2wBq9s6poMGD4
=QdnV
-----END PGP SIGNATURE-----