Spurious SERVFAIL for txy.fr (questionable CNAME)
Knot cannot resolve www.txy.fr :
% dig A www.txy.fr
; <<>> DiG 9.10.3-P4-Debian <<>> A www.txy.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1033
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.txy.fr. IN A
;; Query time: 4414 msec
;; SERVER: 192.168.2.254#53(192.168.2.254)
;; WHEN: Mon Jun 26 20:07:35 UTC 2017
Other resolvers (I tested with BIND and Unbound) can do it. Here, Unbound:
% dig A www.txy.fr
; <<>> DiG 9.10.3-P4-Debian <<>> A www.txy.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33319
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.txy.fr. IN A
;; ANSWER SECTION:
www.txy.fr. 85198 IN CNAME txy.fr.
txy.fr. 85211 IN A 195.14.0.234
;; AUTHORITY SECTION:
txy.fr. 85198 IN NS dns.ispfr.net.
txy.fr. 85198 IN NS de1100.ispfr.net.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 26 22:08:45 CEST 2017
;; MSG SIZE rcvd: 117
It is not a DNSSEC issue, the domain is not signed.
I assume the problem is with the questionable CNAME-to-apex. But, still, other resolvers can cope with it.
Knot DNS Resolver, version 1.2.6 (the Turris package on a Turris Omnia)