Hi,

Dig returns SERVFAIL while trying to resolve a dnssec enabled zone
without DS record in parent zone. For example, I have these two DNSSEC
enabled zones:
domain.com
subdomain.domain.com

domain.com zone has NO DS record for subdomain.domain.com zone, and
subdomain.domain.com has an A record for the zone, and an A record for
www .

If I query subdomain.domain.com , I get SERVFAIL from dig and these
log messages:

03-Oct-2011 11:03:07.893 validating @0x7f9ea305b2d0: domain.com SOA:
no valid signature found
03-Oct-2011 11:03:07.894 createfetch: domain.com DS
03-Oct-2011 11:03:07.894 validating @0x7f9ea305df70: domain.com
NSEC: no valid signature found
03-Oct-2011 11:03:07.895 createfetch: domain.com DS
03-Oct-2011 11:03:07.896 error (broken trust chain) resolving
'subdomain.domain.com/DNSKEY/IN': x.x.x.x#53
03-Oct-2011 11:03:07.896 error (broken trust chain) resolving
'subdomain.domain.com/A/IN': x.x.x.x#53

If I run the query again, I get NXDOMAIN (from cache). So I can't
query subdomain.domain.com zone.

Now, if I query www.subdomain.domain.com I get the same, but when I
run the query again I get a valid answer (from cache).

I know the DS is not configured properly and so DNSSEC shouldn't work,
but bind shouldn't behave like this. If the zone is not configured
properly, bind should query it anyway, the same way it does when the
zone isn't signed.

I didn't find any related bugs.

Btw, I'm using bind 9.7.3 from debian 6.0.2.

Thanks.

--
Sergio Roberto Charpinel Jr.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAJd0DBb9ZvoZCpRagYYwpRC7kJseYDh8Lfeb4MV5hD-f1p2q6w@mail.gmail.com">http://lists.debian.org/CAJd0DBb9ZvoZCpRagYYwpRC7kJseYDh8Lfeb4MV5hD-f1p2q6w@mail.gmail.com