[dns-operations] DNSSEC and qmail

Chris Thompson cet1 at cam.ac.uk
Thu Oct 8 13:33:09 UTC 2009


On Oct 8 2009, Tony Finch wrote:

>> roy$ dig +norec cam.ac.uk any
>>
>> ; <<>> DiG 9.4.3-P3 <<>> cam.ac.uk any
>[...]
>> ;; MSG SIZE  rcvd: 451
>
>I get
>
>;; Truncated, retrying in TCP mode.
>
>; <<>> DiG 9.4.2-P2 <<>> +norec any cam.ac.uk.
>[ snip loads ]
>
>;; Query time: 5 msec
>;; SERVER: 127.0.0.1#53(127.0.0.1)
>;; WHEN: Thu Oct  8 11:51:14 2009
>;; MSG SIZE  rcvd: 1315

As always with T_ANY, it depends entirely on what has got into your
nameserver's cache (unless it is authoritative for the name). Which
is why it's only fit to be a debugging tool in the first place.

I suspect that Roy's has dnssec-enable off (and has been collecting
data with do=0) while Tony's has it on (and has been using do=1).

Against a nameserver authoritative for it, "dig +norec cam.ac.uk any"
gives at least a 2095-byte response. (More if it happens to have
cached a few more IP addresses for its nameservers to add to the
additional section.)

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.



More information about the dns-operations mailing list