[dns-operations] BIND omitting CNAME wildcard NSEC when cd=1 ?

George Barwood george.barwood at blueyonder.co.uk
Tue Apr 26 22:58:22 UTC 2011

I'm seeing some strange behavior using the public BIND resolver https://www.dns-oarc.net/oarc/services/odvr

The response to

dig ptr www.cw.test.itec-usa.com +dnssec @ +cd=1

has a missing wildcard NSEC RRset in the authority section
( *.cw.test.itec-usa.com. NSEC ... )

The same query without +cd=1 returns the correct response, as does Unbound

dig ptr www.cw.test.itec-usa.com +dnssec @ +cd=1

The BIND version number is 9.7.1-P2 ( from dig chaos txt version.bind @ ).

The context is that I'm developing a resolver with forwarding functionality,
and couldn't validate the response due to the missing RRset when testing a wildcard CNAME.

At first sight this seems to be a BIND bug, has anyone seen this before?


More information about the dns-operations mailing list