[dns-operations] BIND omitting CNAME wildcard NSEC when cd=1 ?
George Barwood
george.barwood at blueyonder.co.uk
Wed Apr 27 08:14:46 UTC 2011
----- Original Message -----
From: "Geoffrey Sisson" <geoff at dns-oarc.net>
To: <dns-operations at lists.dns-oarc.net>
Cc: <george.barwood at blueyonder.co.uk>
Sent: Wednesday, April 27, 2011 1:44 AM
Subject: Re: [dns-operations] BIND omitting CNAME wildcard NSEC when cd=1 ?
> "George Barwood" <george.barwood at blueyonder.co.uk> wrote:
>
>> The BIND version number is 9.7.1-P2 ( from dig chaos txt
>> version.bind @149.20.64.20 ).
>
> I've upgraded the BIND ODVR to BIND 9.8.0 and it's still not returning
> that wildcard NSEC for that query. I haven't had an opportunity to check
> whether that makes any sense. I take it this is a test case designed to
> elicit edge case behaviour?
Yes, that's correct. A CNAME at a wildcard can generate multiple NSEC RRsets in
recursive responses that need special handling - it's quite tricky to ensure that the
cached RRsets have the correct NSEC records attached to them. In this case the response
should have a Wildcard CNAME RRset with associated NSEC record and also a NoData
pseudo-RRset with an NSEC record that proves the NoData condition.
I wasn't trying to elicit edge case behavior in BIND though, rather in the resolver I am de veloping.
Is the BIND ODVR configured to use forwarders? I guess not, but if so that could be relevant.
George
> (I also upgraded the Unbound ODVR from 1.4.7 to 1.4.9.)
>
> Geoff
More information about the dns-operations
mailing list