[dns-operations] DNSSEC and ANY query

Mark Pettit mark at pettit.org
Tue Oct 4 19:43:48 UTC 2011 

Hi, DNS folks.

I've recently noticed a difference in behavior between how BIND handles ANY queries for records with both A and AAAA records, and how Phreebird handles them.  I'm curious if either is wrong, and what the spec says, so I thought I'd ask here.

First, here's how BIND handles an ANY query when the record in question contains both A records and AAAA records:

========================================================================
$ dig +dnssec www.isc.org. any

; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec www.isc.org. any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3702
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 5, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.isc.org.			IN	ANY

;; ANSWER SECTION:
www.isc.org.		3600	IN	RRSIG	NSEC 5 3 3600 20111031233230 20111001233230 21693 isc.org. oCAfaSUP2eeUsNFRyX2BNh92aKWvSL0F71PEW59NRs3rHqZ93Fj10lL6 MF4ZR157dKCAbzj4vIfZ1SkW+E9vxOqYz+FJCWEJq809USpuYFRcIVV5 0zP/+B0oYaYmw9gEPaXuYhwB3kWOTt6P2vYl8QHH4TkeTLeBR6rUPRGX sl8=
www.isc.org.		3600	IN	NSEC	www-dev.isc.org. A AAAA RRSIG NSEC
www.isc.org.		600	IN	RRSIG	AAAA 5 3 600 20111031233230 20111001233230 21693 isc.org. W3UIP7Q2OAgDVSILma/AODvbpH+dXD06s4RG+VensiDCOlAskTPHYnp1 MXxwMtPrkAGXHjNc0iNrsyG2fOV5rpiv6nBXFYsq867edUvDebGgpuYp pqDWgxPwC/UGt41DITzYcWdy0HpvJKYbMjq4Pfq3CnmUU/GINgtgyFyr u4A=
www.isc.org.		600	IN	AAAA	2001:4f8:0:2::d
www.isc.org.		600	IN	RRSIG	A 5 3 600 20111031233230 20111001233230 21693 isc.org. r2ABZ9DJei4+9pNSVS40puQMGZ9rbH7NMa19xj/jZnRqMwxHxzQjpEKi A97xfJtYJGqDMyyaTwdKAsc8/3HG4XX8cnzSs/7AP6N4XJ9BrxOKp/P7 vQXxf8wiJV/jdGyxzmQL/CH+fuInIG2FJsa3Iohr/MCh4UZWYkOYKctF 7bA=
www.isc.org.		600	IN	A	149.20.64.42

;; AUTHORITY SECTION:
isc.org.		1000	IN	NS	ams.sns-pb.isc.org.
isc.org.		1000	IN	NS	ns.isc.afilias-nst.info.
isc.org.		1000	IN	NS	ord.sns-pb.isc.org.
isc.org.		1000	IN	NS	sfba.sns-pb.isc.org.
isc.org.		7200	IN	RRSIG	NS 5 2 7200 20111031233230 20111001233230 21693 isc.org. nxYck7i6b45330OXV43MiA+hrV5SQNjFt2ZZmbYl/NkS2FGsDLgU/Oxk nat7Py+VvbBsncXzH8r1+vvB1vi1M1iCeIuzQ+Yfgkiuw0CFHIq2m7mN T/O9uGO67sPGXJ73Emfg3GGkt1sxLuoy5ZbupL1LbjV+yprDpgFCadAM yVI=

;; ADDITIONAL SECTION:
ord.sns-pb.isc.org.	7107	IN	A	199.6.0.30
ord.sns-pb.isc.org.	7107	IN	AAAA	2001:500:71::30
ord.sns-pb.isc.org.	7108	IN	RRSIG	A 5 4 7200 20111031233230 20111001233230 21693 isc.org. ZHRQ6RD/HEsXDXTGK5mdKYzv09/A4CwxdBtjYfWBdIbih+lQaHnFxEnx nnPXkPqPxaz/jCFzQgIDMswQ39Z0YyD6atoykCfTJUXj2mXT/87+culg Et55ihsORdGI+h/uC4dA94I1ZNNNkcIV0gGvGhvdBSkBmQ5GAncSR8EK Zwo=
ord.sns-pb.isc.org.	7108	IN	RRSIG	AAAA 5 4 7200 20111031233230 20111001233230 21693 isc.org. b4dtHqeURq6k5+n4kNrVfymeEE3G7hYFN/LRBjlP+yYNb8EFf+TjwiyC tiIH8IjO31W8mICyhFhYZQfL+yLLYC2ADMgLnwh/hlpxoXkun9O0tMqz xHgPDP89brqIiXuI5tRStD7gg5Y9vJQU2r8MQ6sb6ipTloMJQMdAu1Kj aok=

;; Query time: 84 msec
;; SERVER: 74.220.195.27#53(74.220.195.27)
;; WHEN: Tue Oct  4 13:37:30 2011
;; MSG SIZE  rcvd: 1266

========================================================================

As you can see, BIND hands back an NSEC record, an A record, and an AAAA record, and an RRSIG for each of those.  There's more stuff in the Authority and Additional section, but that's not relevant to my question.

Here's what I see from Phreebird 1.02:

========================================================================
$ dig +dnssec dnssec-test.yehoo.org. any

; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec dnssec-test.yehoo.org. any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31141
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-test.yehoo.org.		IN	ANY

;; ANSWER SECTION:
dnssec-test.yehoo.org.	7200	IN	RRSIG	A 7 3 7200 20111031232342 20111003232342 47384 yehoo.org. u5tckz/oLlUeuQkQ/s2iAuMGpFD61Zhffxf+BTHZ0gAu7rN6ekx6wDNH qoZtdMvTjIg1hZJA9/FPQtHksONg6vQGTPxXgt3XpKiYsodZzetdARmO 3EdOvzD7k59VkwwocWjtmDAHR2zp9x97KpmglqPXBtsO/PaS23KEqX2w bl0=
dnssec-test.yehoo.org.	7200	IN	AAAA	2001:4998:0:4::1005
dnssec-test.yehoo.org.	7200	IN	A	66.163.165.151

;; AUTHORITY SECTION:
yehoo.org.		172800	IN	NS	nsdos3.dns.ukl.yahoo.com.
yehoo.org.		172800	IN	NS	nsdos2.dns.ukl.yahoo.com.
yehoo.org.		172800	IN	RRSIG	NS 7 2 172800 20111031200014 20111003200014 47384 yehoo.org. gh075sBA+8DozLx4kbxBx4RiSrQcWNR7iwoanSU0IdRPLXuRg9WeQJPC I6Unc2j8ZvoQlSpCe784q8ccaWjwqXR4V75TuTdLqTtu6srIrYpcn0g2 t0VNNuC5GhNin91ll7KkSlLtQAeezEVe8q7GhVNYnhEQWSLkch44dnvv 1uc=

;; ADDITIONAL SECTION:
nsdos2.dns.ukl.yahoo.com. 1800	IN	A	217.12.8.29
nsdos3.dns.ukl.yahoo.com. 1800	IN	A	217.12.8.30

;; Query time: 267 msec
;; SERVER: 74.220.195.27#53(74.220.195.27)
;; WHEN: Tue Oct  4 13:40:31 2011
;; MSG SIZE  rcvd: 523

========================================================================

Phreebird hands back both the A and the AAAA record, but does not sign the AAAA record.

Which behavior is correct, or are they both correct?

--
perl -le '$"=$,, at _=(1)x4, at a=(0,4,5,4),map+($_<<=6)+=13, at _;for(0..3
){$_[$_]+=1<<$a[$_]if$_;$_[$_]+=$a[$_]}$_[3]+=10,print map chr, at _'

More information about the dns-operations mailing list