[dns-operations] BIND omitting CNAME wildcard NSEC when cd=1 ?

George Barwood george.barwood at blueyonder.co.uk
Wed Apr 27 08:14:46 UTC 2011

----- Original Message ----- 
From: "Geoffrey Sisson" <geoff at dns-oarc.net>
To: <dns-operations at lists.dns-oarc.net>
Cc: <george.barwood at blueyonder.co.uk>
Sent: Wednesday, April 27, 2011 1:44 AM
Subject: Re: [dns-operations] BIND omitting CNAME wildcard NSEC when cd=1 ?

> "George Barwood" <george.barwood at blueyonder.co.uk> wrote:
>> The BIND version number is 9.7.1-P2 ( from dig chaos txt
>> version.bind @ ).
> I've upgraded the BIND ODVR to BIND 9.8.0 and it's still not returning
> that wildcard NSEC for that query.  I haven't had an opportunity to check
> whether that makes any sense.  I take it this is a test case designed to
> elicit edge case behaviour?

Yes, that's correct. A CNAME at a wildcard can generate multiple NSEC RRsets in 
recursive responses that need special handling - it's quite tricky to ensure that the
cached RRsets have the correct NSEC records attached to them. In this case the response
should have a Wildcard CNAME RRset with associated NSEC record and also a NoData 
pseudo-RRset with an NSEC record that proves the NoData condition.

I wasn't trying to elicit edge case behavior in BIND though, rather in the resolver I am de veloping.

Is the BIND ODVR configured to use forwarders? I guess not, but if so that could be relevant.


> (I also upgraded the Unbound ODVR from 1.4.7 to 1.4.9.)
> Geoff

More information about the dns-operations mailing list