[Unbound-users] Problems with dipmap.com

W.C.A. Wijngaards wouter at NLnetLabs.nl
Tue Sep 20 07:46:41 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Hauke, Robert,

On 09/19/2011 05:41 PM, Hauke Lampe wrote:
> On 19.09.2011 15:51, W.C.A. Wijngaards wrote:
> 
>> I do not understand how they continue to query LAME servers.
> 
> Doesn't look lame to me. It answers queries for tirparkolo.dipmap.com as
> well as for ns/ns1/ns2.dipmap.com. Only the NS record is wrong.
> 
> My Unbound resolver (current svn) keeps returing the correct answer.

There is a bug, which I fixed (thank Amanda from Secure64), it has a
wrong classification internally.  What is also wrong with the
dir.slb.com setup (how many things can you break at the same time?) is
that the slb.com DNS servers are stealth serving the dir.slb.com zone as
well.  Their AA answer is the final answer for BIND, but unbound
classified it wrong and wanted to as dir.slb.com DNS servers for the
answer ... but those do not answer.  Fixed in svn trunk.

>> If it would not
>> give Lame answers, then it would work with unbound (and the parent-child
>> disagreement would not be an issue).
> 
> Shouldn't it fail with "harden-referral-path" set? Or is it enough if
> the child servers sends answers for the nameserver names from the parent
> zone even if the NS records differ?
> 
> Here's a query trace from unbound-host w/ harden-referral-path:
> http://pastebin.com/VU3tuN3J

No, harden referral path is OK if the answer does not arrive for the NS
set.  It is lenient for this sort of brokenness.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOeETgAAoJEJ9vHC1+BF+NPkAP/ROivRYUpcV6o2IY7p5x+of3
euXi4dM3rtmoii5mSHENBspKHGT8Uevd9qHHF5/CPLq29nYXLN9V0ZsK/p8k4fhB
ef9E4O+FVvYg+egeLWiO6cpjpy97wPm45eue2YUOqMwNi3anL29hvaf3GzDs4ikz
W+aY8TcDZlCb3EVjfliSCD/MiHTUyyfZUkr5zheSHyr+yQQcG2+fyx4gUyIJ+lXp
KIx17E16AK1eLRGc1WNLNnYYn8jEWr/JT2FYIYfciYj5XqlsQ0oslJtSvHz38n+J
L7mHOaIJJ/ADLiUOl4tT6V7z0AAU1xj0KTrCbUC8x5h653itDeXqtJCnnWcHWorp
janaE48Uv1i7z4VoJCzf/boBoznG0hGOOpza0T64ngTgG71zgPw2RAAJouLW5EAv
/3BEm23b0a7Tjzu2OoOfI3wZFuRjFiP+SwHnJhCBO1cqIOSd+xsUZYTULImPRBMT
PZmh5m+5lhxKr+zhhH5N1RpAYdRS4thZ8IEbCxcQUFPCMldSTC8imlFhgSFgXM/K
3xdzg60ZUGGZrtqfktwWxRwPcx/erbMTfubsVtaTZgdlwJuv3PR9aecVlvK3lazb
xlvcs5COPKM8Cv6+u91K7dFJOwTDNR4Nn919Ma/p9LS6v3CBWqABy4UqfD7lu6eE
6tNj4wiaqQHrTGAx+ts3
=DrkG
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list