[dns-operations] DNSSEC and qmail

Chris Thompson cet1 at cam.ac.uk
Thu Oct 8 13:33:09 UTC 2009

On Oct 8 2009, Tony Finch wrote:

>> roy$ dig +norec cam.ac.uk any
>> ; <<>> DiG 9.4.3-P3 <<>> cam.ac.uk any
>> ;; MSG SIZE  rcvd: 451
>I get
>;; Truncated, retrying in TCP mode.
>; <<>> DiG 9.4.2-P2 <<>> +norec any cam.ac.uk.
>[ snip loads ]
>;; Query time: 5 msec
>;; WHEN: Thu Oct  8 11:51:14 2009
>;; MSG SIZE  rcvd: 1315

As always with T_ANY, it depends entirely on what has got into your
nameserver's cache (unless it is authoritative for the name). Which
is why it's only fit to be a debugging tool in the first place.

I suspect that Roy's has dnssec-enable off (and has been collecting
data with do=0) while Tony's has it on (and has been using do=1).

Against a nameserver authoritative for it, "dig +norec cam.ac.uk any"
gives at least a 2095-byte response. (More if it happens to have
cached a few more IP addresses for its nameservers to add to the
additional section.)

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list