[dns-operations] Can't resolve NIH.GOV records

Michael Sinatra michael at rancid.berkeley.edu
Thu May 7 20:36:57 UTC 2009

On 5/7/09 10:09 AM, Craig Leres wrote:

> Are there NSEC3 issues with all versions of bind < 9.6.1b1? (If so
> then downgrading to 9.5 won't help me.) It sounds like my only
> options to solve this problem are to run the beta version of 9.6
> or to turn off DLV.

I am running a mix of 9.6.0-P1 and 9.6.1b1 on my anycast cloud of 
caching resolvers.  I am not having problems resolving nih.gov, at least 
not right now, and I am properly validating gov on all servers (both 
versions above).

In answer to Andrew's question, UC Berkeley does not use views.  We have 
generally not experienced problems that weren't replicated by others (at 
least not that I can remember).  The one wrinkle is that we do "prime" 
our caching nameservers with many of the zones for which our 
authoritative servers are authoritative.  (The reason for this is partly 
historical.)  This will create an interesting dilemma once we start 
signing our zones, since our caching servers won't actually validate 
zones that they load directly.  (This dilemma also applies to people who 
do zone transfers of the root for their caching boxes, once the root is 

Once our zones are signed, it will require a re-evaluation of what is 
the "best" way to run a caching nameserver--start out with a perfectly 
clean cache (maybe primed with certain queries) or load a few zones from 
your authoritative servers for which you know will get a lot of queries.

In the meantime, I need to continue nagging the FJ ccTLD administrators 
to stop referencing our caching nameservers in the NS records of the FJ 


More information about the dns-operations mailing list