Maintained by: NLnet Labs

[Unbound-users] Parent child disagreement problem

Paul Wouters
Thu May 13 15:26:22 CEST 2010

On Thu, 13 May 2010, Mike Emigh wrote:

> We ran across a new problem in what appears to be parent-child
> disagreement on version 1.4.4.  The resolution appears to work as
> expected when digging for A records in the domain, but if you first
> dig for the NS (starting with an empty cache), then subsequent A
> record lookups fail.

> If you dig NS, it returns an invalid response:
>         3600    IN      NS      netdns.
> Then trying to resolve an A record from this domain results in a SERVFAIL:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1462

I did this against a non-dnssec bind, and it produced the same result.

> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;            IN      A
> The A query appears to work as expected if the you never issue the
> 'dig NS' command.

Except I always get a servfail for

The domain is pretty broken:

$ dnscheck
   0.000: INFO Begin testing zone with version 0.93_01.
   0.000: INFO Begin testing delegation for
   9.067: INFO Name servers listed at parent:
   9.387: ERROR No name servers found at child.
   9.387: ERROR Superfluous name server listed at parent:
   9.388: ERROR Too few name servers (0).
   9.388: INFO Done testing delegation for
   9.388: CRITICAL Fatal error in delegation for zone
   9.388: INFO Test completed for zone