Re: DNSSEC/unbound -> boingboing.net failures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Matt,

the SERVFAIL is probably not caused by DNSSEC because the zone is not
signed. The problem is that the zone is broken. There is a CNAME
record in the zone apex, which is a violation of the DNS specification
(https://tools.ietf.org/html/rfc2181#section-10.1).

Random resolution failures are quite usual expression of this
particular RFC misconduct.

Unbound might be able to cope with this problem on it's own. But when
used with dnssec-trigger, the DNS queries might be just forwarded to
the DNS resolver from DHCP configuration. And that one might cause the
failure.

Cheers,

Jan


On Tue, Jun 30, 2015 at 5:07 PM, Matthew Miller
<mattdm@xxxxxxxxxxxxxxxxx> wrote:
> With the DNSSEC feature enabled as per the testing instructions, I'm
> sometimes (but not always) getting failures for popular geek blog Boing
> Boing, when public DNS still works:
>
>   $ host boingboing.net
>   Host boingboing.net not found: 2(SERVFAIL)
>
>   $ host boingboing.net 8.8.8.8
>   Using domain server:
>   Name: 8.8.8.8
>   Address: 8.8.8.8#53
>   Aliases:
>
>   boingboing.net is an alias for boingboing.net.global.prod.fastly.net.
>   boingboing.net.global.prod.fastly.net is an alias for
>   global-ssl.fastly.net.
>   global-ssl.fastly.net is an alias for fallback.global-ssl.fastly.net.
>   fallback.global-ssl.fastly.net has address 199.27.76.249
>   fallback.global-ssl.fastly.net has address 23.235.46.249
>
> What's going on here? How can I diagnose it, and how can we fix it so
> that users don't have to diagnose these situations?
>
> I'm concerned that if it's happening with this site (which Alexa rates
> as in the top 1000 websites in the US), it'll happen with a lot of
> others.
>
> --
> Matthew Miller
> <mattdm@xxxxxxxxxxxxxxxxx>
> Fedora Project Leader
> --
> devel mailing list
> devel@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux