Maintained by: NLnet Labs

[Unbound-users] Broken DNS or broken Unbound?

Anand Buddhdev
Sat Dec 17 01:04:11 CET 2011

On 16/12/2011 19:32, Mike Cardwell wrote:

> Can anyone explain what is going on with the domain I'm
> running Unbound 1.4.9 and have it set up to do DNSSEC validation.
> "dig" SERVFAIL's, however "dig +cd" works fine.
> This domain doesn't have DNSSEC on it though... I also noticed that
> when I attempt to look up the NS records, all it returns is a
> CNAME. Is that valid?
> Is's DNS configuration broken, or is Unbound broken?

Hi Mike,

The DNS setup of is broken. They've made the well-known
mistake of mixing a CNAME record with other records:

; <<>> DiG 9.7.3-P3 <<>> +norec ns @DNS1.NAME-SERVICES.COM
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17082
;; flags: qr aa; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 5

;			IN	NS

;; ANSWER SECTION:		1800	IN	CNAME		3600	IN	NS		3600	IN	NS		3600	IN	NS		3600	IN	NS		3600	IN	NS


Anand Buddhdev