[dns-operations] BIND omitting CNAME wildcard NSEC when cd=1 ?
george.barwood at blueyonder.co.uk
Tue Apr 26 22:58:22 UTC 2011
I'm seeing some strange behavior using the public BIND resolver https://www.dns-oarc.net/oarc/services/odvr
The response to
dig ptr www.cw.test.itec-usa.com +dnssec @22.214.171.124 +cd=1
has a missing wildcard NSEC RRset in the authority section
( *.cw.test.itec-usa.com. NSEC ... )
The same query without +cd=1 returns the correct response, as does Unbound
dig ptr www.cw.test.itec-usa.com +dnssec @126.96.36.199 +cd=1
The BIND version number is 9.7.1-P2 ( from dig chaos txt version.bind @188.8.131.52 ).
The context is that I'm developing a resolver with forwarding functionality,
and couldn't validate the response due to the missing RRset when testing a wildcard CNAME.
At first sight this seems to be a BIND bug, has anyone seen this before?
More information about the dns-operations