On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote:
>
> It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it
> serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is
> actually delegated to it.
>
> % dig dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all
> ;; BADCOOKIE, retrying.
>
> ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com aaaa +trace
> +all
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27
<.. snip lots ..>
> ;; AUTHORITY SECTION:
> com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid.
> 2023030710 10800 3600 604800 60
I did a search for "this.name.is.invalid" and the only results I got
were for F5 support pages - eg.
The fix in BIG-IP DNS 14.1.0 introduces a new setting,
wideip-zone-nameserver, which defaults the WideIP zone nameserver to
this.name.is.invalid.
Wouldn't a badly configured F5 server be a better explanation?
Thanks
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
