[Unbound-users] SERVFAIL with *some* names in a DNSSEC+DLV signed zone
Stephane Bortzmeyer
bortzmeyer at nic.fr
Thu Aug 27 07:49:09 UTC 2009
On Tue, Jun 30, 2009 at 02:24:12PM +0200,
W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote
a message of 71 lines which said:
> I think the problem is the recent NSEC+RRSIG parse bug I fixed. In the
> ANY queries that is present and can lead to the problem, the bug is
> triggered based on ordering in the packet, and this causes the
> randomness for you.
>
> So, it is fixed in subversion trunk and perhaps I should consider making
> a bugfix release :-)
I have a similar (?) problem with the 1.3.2 release.
% dig +dnssec AAAA ns-cm.ripe.net
...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19685
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
...
ns-cm.ripe.net. 172417 IN AAAA 2001:610:240:0:53:cc:12:38
...
(Same thing for A queries.)
% dig +dnssec ANY ns-cm.ripe.net
...
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20929
...
Other names, like ns-co.ripe.net, work fine.
More information about the Unbound-users
mailing list