[dns-operations] DNSSEC and ANY query
Mark Pettit
mark at pettit.org
Tue Oct 4 20:57:55 UTC 2011
Digging against the auth server for yehoo.org. doesn't change the ANSWER section:
Here is the BIND answer:
========================================================================
$ dig +dnssec @ams.sns-pb.isc.org. www.isc.org. any
; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec @ams.sns-pb.isc.org. www.isc.org. any
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51177
;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 5, ADDITIONAL: 13
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.isc.org. IN ANY
;; ANSWER SECTION:
www.isc.org. 3600 IN RRSIG NSEC 5 3 3600 20111031233230 20111001233230 21693 isc.org. oCAfaSUP2eeUsNFRyX2BNh92aKWvSL0F71PEW59NRs3rHqZ93Fj10lL6 MF4ZR157dKCAbzj4vIfZ1SkW+E9vxOqYz+FJCWEJq809USpuYFRcIVV5 0zP/+B0oYaYmw9gEPaXuYhwB3kWOTt6P2vYl8QHH4TkeTLeBR6rUPRGX sl8=
www.isc.org. 3600 IN NSEC www-dev.isc.org. A AAAA RRSIG NSEC
www.isc.org. 600 IN RRSIG AAAA 5 3 600 20111031233230 20111001233230 21693 isc.org. W3UIP7Q2OAgDVSILma/AODvbpH+dXD06s4RG+VensiDCOlAskTPHYnp1 MXxwMtPrkAGXHjNc0iNrsyG2fOV5rpiv6nBXFYsq867edUvDebGgpuYp pqDWgxPwC/UGt41DITzYcWdy0HpvJKYbMjq4Pfq3CnmUU/GINgtgyFyr u4A=
www.isc.org. 600 IN AAAA 2001:4f8:0:2::d
www.isc.org. 600 IN RRSIG A 5 3 600 20111031233230 20111001233230 21693 isc.org. r2ABZ9DJei4+9pNSVS40puQMGZ9rbH7NMa19xj/jZnRqMwxHxzQjpEKi A97xfJtYJGqDMyyaTwdKAsc8/3HG4XX8cnzSs/7AP6N4XJ9BrxOKp/P7 vQXxf8wiJV/jdGyxzmQL/CH+fuInIG2FJsa3Iohr/MCh4UZWYkOYKctF 7bA=
www.isc.org. 600 IN A 149.20.64.42
;; AUTHORITY SECTION:
isc.org. 7200 IN NS ams.sns-pb.isc.org.
isc.org. 7200 IN NS ns.isc.afilias-nst.info.
isc.org. 7200 IN NS sfba.sns-pb.isc.org.
isc.org. 7200 IN NS ord.sns-pb.isc.org.
isc.org. 7200 IN RRSIG NS 5 2 7200 20111031233230 20111001233230 21693 isc.org. nxYck7i6b45330OXV43MiA+hrV5SQNjFt2ZZmbYl/NkS2FGsDLgU/Oxk nat7Py+VvbBsncXzH8r1+vvB1vi1M1iCeIuzQ+Yfgkiuw0CFHIq2m7mN T/O9uGO67sPGXJ73Emfg3GGkt1sxLuoy5ZbupL1LbjV+yprDpgFCadAM yVI=
;; ADDITIONAL SECTION:
ams.sns-pb.isc.org. 7200 IN A 199.6.1.30
ams.sns-pb.isc.org. 7200 IN AAAA 2001:500:60::30
ord.sns-pb.isc.org. 7200 IN A 199.6.0.30
ord.sns-pb.isc.org. 7200 IN AAAA 2001:500:71::30
sfba.sns-pb.isc.org. 7200 IN A 149.20.64.3
sfba.sns-pb.isc.org. 7200 IN AAAA 2001:4f8:0:2::19
ams.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20111031233230 20111001233230 21693 isc.org. tp46ac7qNcCNbigQz+irRwtFT+uUcXhP2bCo8tcpN3egG8TjzeyMZjxa T1jdbWuFOulbXAD0gyvbRehuFSY60h9qFsHP4AexrHqBtosHr48Q0KWE fAAxHZMOQHE6kaS4FdAkVk3FtMVXlFnitBGWrPyXhqPQ/N/EZ7EvU0FU NMI=
ams.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 20111031233230 20111001233230 21693 isc.org. Gf1Vr+eJTNxqovT1QAkaywkJbHb//68epXhmoXaH4lXtMnBnn/cwRh8w 0x2TiGoi9ssGWY/ldPF2VYqiXWe6QIOmPYO/+D7LBSjUCTERgEf3xOgu uZahZWPgMTDzqobPs4DHuXLeGQmCAqdtxa/xKQ1KHuJiMLPxWC73k5Xe pRg=
ord.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20111031233230 20111001233230 21693 isc.org. ZHRQ6RD/HEsXDXTGK5mdKYzv09/A4CwxdBtjYfWBdIbih+lQaHnFxEnx nnPXkPqPxaz/jCFzQgIDMswQ39Z0YyD6atoykCfTJUXj2mXT/87+culg Et55ihsORdGI+h/uC4dA94I1ZNNNkcIV0gGvGhvdBSkBmQ5GAncSR8EK Zwo=
ord.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 20111031233230 20111001233230 21693 isc.org. b4dtHqeURq6k5+n4kNrVfymeEE3G7hYFN/LRBjlP+yYNb8EFf+TjwiyC tiIH8IjO31W8mICyhFhYZQfL+yLLYC2ADMgLnwh/hlpxoXkun9O0tMqz xHgPDP89brqIiXuI5tRStD7gg5Y9vJQU2r8MQ6sb6ipTloMJQMdAu1Kj aok=
sfba.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20111031233230 20111001233230 21693 isc.org. mBqkvSczD5qZyrFghl0mpKmrr3+W/FMSEuAp0n41j2kHZc1U/fLmkfOp GiByb7HE9PRbX/ZYovuRbI+NjT5BOa4Cpoa7YPYhfenIrKbWo50crXfq 5I7ZE91asH5JLo3qtzUKHnKutXHZ2JqVcq+1SZO7qx6n+XWRDjXwRreW hCY=
sfba.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 20111031233230 20111001233230 21693 isc.org. t2Wbj5KE9iM4BSZ4MnuLKo92Sl1a9/kOI4INtf/j9/jjvs4ab7dBvz0a vpjnDZgirryjnf9WyQQVsIjupyhamw/v3rm7LTxJHjNROYocWztIG/Ua 75b0zaBa9fxsu7Rmp7/3LnEwFVsfpoULPbKEl2HevTh6jrXw0v2Lxxz1 E9Q=
;; Query time: 156 msec
;; SERVER: 199.6.1.30#53(199.6.1.30)
;; WHEN: Tue Oct 4 14:51:40 2011
;; MSG SIZE rcvd: 2022
========================================================================
And here's Phreebird:
========================================================================
$ dig +dnssec @nsdos2.dns.ukl.yahoo.com. dnssec-test.yehoo.org. any
; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec @nsdos2.dns.ukl.yahoo.com. dnssec-test.yehoo.org. any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60407
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-test.yehoo.org. IN ANY
;; ANSWER SECTION:
dnssec-test.yehoo.org. 7200 IN A 66.163.165.151
dnssec-test.yehoo.org. 7200 IN AAAA 2001:4998:0:4::1005
dnssec-test.yehoo.org. 7200 IN RRSIG A 7 3 7200 20111031232342 20111003232342 47384 yehoo.org. u5tckz/oLlUeuQkQ/s2iAuMGpFD61Zhffxf+BTHZ0gAu7rN6ekx6wDNH qoZtdMvTjIg1hZJA9/FPQtHksONg6vQGTPxXgt3XpKiYsodZzetdARmO 3EdOvzD7k59VkwwocWjtmDAHR2zp9x97KpmglqPXBtsO/PaS23KEqX2w bl0=
;; AUTHORITY SECTION:
yehoo.org. 172800 IN NS nsdos2.dns.ukl.yahoo.com.
yehoo.org. 172800 IN NS nsdos3.dns.ukl.yahoo.com.
yehoo.org. 172800 IN RRSIG NS 7 2 172800 20111031200014 20111003200014 47384 yehoo.org. gh075sBA+8DozLx4kbxBx4RiSrQcWNR7iwoanSU0IdRPLXuRg9WeQJPC I6Unc2j8ZvoQlSpCe784q8ccaWjwqXR4V75TuTdLqTtu6srIrYpcn0g2 t0VNNuC5GhNin91ll7KkSlLtQAeezEVe8q7GhVNYnhEQWSLkch44dnvv 1uc=
;; Query time: 169 msec
;; SERVER: 217.12.8.29#53(217.12.8.29)
;; WHEN: Tue Oct 4 14:52:34 2011
;; MSG SIZE rcvd: 598
========================================================================
Thanks for the reply. I forgot to dig directly against the authoritative server.
To be clear, when I ask for an AAAA record from Phreebird, it hands back the record along with a signature for the AAAA record. It just doesn't hand it back when I query for ANY:
========================================================================
$ dig +dnssec @nsdos2.dns.ukl.yahoo.com. dnssec-test.yehoo.org. aaaa
; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec @nsdos2.dns.ukl.yahoo.com. dnssec-test.yehoo.org. aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4036
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-test.yehoo.org. IN AAAA
;; ANSWER SECTION:
dnssec-test.yehoo.org. 7200 IN AAAA 2001:4998:0:4::1005
dnssec-test.yehoo.org. 7200 IN RRSIG AAAA 7 3 7200 20111031225907 20111003225907 47384 yehoo.org. WeoTKj/f5oSJmbcqFxC6eiFbhY4V5VHMEijgiv+N8+d00E4oIk+kNoGO ZtT75xhiALXNsCtRJ1ECDqXTagKgDE4yKr1gxGvkh9pRBXWJYUaRZtWR 3S+EkiXnGKCgChjGbCiJuaZnalbPqEgrA0NBz16YvcUlH8APm2dgngxl 5CE=
;; AUTHORITY SECTION:
yehoo.org. 172800 IN NS nsdos2.dns.ukl.yahoo.com.
yehoo.org. 172800 IN NS nsdos3.dns.ukl.yahoo.com.
yehoo.org. 172800 IN RRSIG NS 7 2 172800 20111031200014 20111003200014 47384 yehoo.org. gh075sBA+8DozLx4kbxBx4RiSrQcWNR7iwoanSU0IdRPLXuRg9WeQJPC I6Unc2j8ZvoQlSpCe784q8ccaWjwqXR4V75TuTdLqTtu6srIrYpcn0g2 t0VNNuC5GhNin91ll7KkSlLtQAeezEVe8q7GhVNYnhEQWSLkch44dnvv 1uc=
;; Query time: 167 msec
;; SERVER: 217.12.8.29#53(217.12.8.29)
;; WHEN: Tue Oct 4 14:57:03 2011
;; MSG SIZE rcvd: 561
========================================================================
On Oct 4, 2011, at 1:47 PM, Edward Lewis wrote:
> Neither answer is an authorative answer (aa flag), so it's hard to isolate.
>
> The latter answer is missing a RRSIG(AAAA). And the NSEC, RRSIG(NSEC) might be missing because they weren't in cache when the ANY query comes in.
>
> Try dig @<auth-server> name any
>
> and compare the results.
>
>
> At 12:43 -0700 10/4/11, Mark Pettit wrote:
>> Hi, DNS folks.
>>
>> I've recently noticed a difference in behavior between how BIND handles ANY queries for records with both A and AAAA records, and how Phreebird handles them. I'm curious if either is wrong, and what the spec says, so I thought I'd ask here.
>>
>> First, here's how BIND handles an ANY query when the record in question contains both A records and AAAA records:
>>
>> ========================================================================
>> $ dig +dnssec www.isc.org. any
>>
>> ; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec www.isc.org. any
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3702
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 5, ADDITIONAL: 5
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;www.isc.org. IN ANY
>>
>> ;; ANSWER SECTION:
>> www.isc.org. 3600 IN RRSIG NSEC 5 3 3600 20111031233230 20111001233230 21693 isc.org. oCAfaSUP2eeUsNFRyX2BNh92aKWvSL0F71PEW59NRs3rHqZ93Fj10lL6 MF4ZR157dKCAbzj4vIfZ1SkW+E9vxOqYz+FJCWEJq809USpuYFRcIVV5 0zP/+B0oYaYmw9gEPaXuYhwB3kWOTt6P2vYl8QHH4TkeTLeBR6rUPRGX sl8=
>> www.isc.org. 3600 IN NSEC www-dev.isc.org. A AAAA RRSIG NSEC
>> www.isc.org. 600 IN RRSIG AAAA 5 3 600 20111031233230 20111001233230 21693 isc.org. W3UIP7Q2OAgDVSILma/AODvbpH+dXD06s4RG+VensiDCOlAskTPHYnp1 MXxwMtPrkAGXHjNc0iNrsyG2fOV5rpiv6nBXFYsq867edUvDebGgpuYp pqDWgxPwC/UGt41DITzYcWdy0HpvJKYbMjq4Pfq3CnmUU/GINgtgyFyr u4A=
>> www.isc.org. 600 IN AAAA 2001:4f8:0:2::d
>> www.isc.org. 600 IN RRSIG A 5 3 600 20111031233230 20111001233230 21693 isc.org. r2ABZ9DJei4+9pNSVS40puQMGZ9rbH7NMa19xj/jZnRqMwxHxzQjpEKi A97xfJtYJGqDMyyaTwdKAsc8/3HG4XX8cnzSs/7AP6N4XJ9BrxOKp/P7 vQXxf8wiJV/jdGyxzmQL/CH+fuInIG2FJsa3Iohr/MCh4UZWYkOYKctF 7bA=
>> www.isc.org. 600 IN A 149.20.64.42
>>
>> ;; AUTHORITY SECTION:
>> isc.org. 1000 IN NS ams.sns-pb.isc.org.
>> isc.org. 1000 IN NS ns.isc.afilias-nst.info.
>> isc.org. 1000 IN NS ord.sns-pb.isc.org.
>> isc.org. 1000 IN NS sfba.sns-pb.isc.org.
>> isc.org. 7200 IN RRSIG NS 5 2 7200 20111031233230 20111001233230 21693 isc.org. nxYck7i6b45330OXV43MiA+hrV5SQNjFt2ZZmbYl/NkS2FGsDLgU/Oxk nat7Py+VvbBsncXzH8r1+vvB1vi1M1iCeIuzQ+Yfgkiuw0CFHIq2m7mN T/O9uGO67sPGXJ73Emfg3GGkt1sxLuoy5ZbupL1LbjV+yprDpgFCadAM yVI=
>>
>> ;; ADDITIONAL SECTION:
>> ord.sns-pb.isc.org. 7107 IN A 199.6.0.30
>> ord.sns-pb.isc.org. 7107 IN AAAA 2001:500:71::30
>> ord.sns-pb.isc.org. 7108 IN RRSIG A 5 4 7200 20111031233230 20111001233230 21693 isc.org. ZHRQ6RD/HEsXDXTGK5mdKYzv09/A4CwxdBtjYfWBdIbih+lQaHnFxEnx nnPXkPqPxaz/jCFzQgIDMswQ39Z0YyD6atoykCfTJUXj2mXT/87+culg Et55ihsORdGI+h/uC4dA94I1ZNNNkcIV0gGvGhvdBSkBmQ5GAncSR8EK Zwo=
>> ord.sns-pb.isc.org. 7108 IN RRSIG AAAA 5 4 7200 20111031233230 20111001233230 21693 isc.org. b4dtHqeURq6k5+n4kNrVfymeEE3G7hYFN/LRBjlP+yYNb8EFf+TjwiyC tiIH8IjO31W8mICyhFhYZQfL+yLLYC2ADMgLnwh/hlpxoXkun9O0tMqz xHgPDP89brqIiXuI5tRStD7gg5Y9vJQU2r8MQ6sb6ipTloMJQMdAu1Kj aok=
>>
>> ;; Query time: 84 msec
>> ;; SERVER: 74.220.195.27#53(74.220.195.27)
>> ;; WHEN: Tue Oct 4 13:37:30 2011
>> ;; MSG SIZE rcvd: 1266
>>
>> ========================================================================
>>
>> As you can see, BIND hands back an NSEC record, an A record, and an AAAA record, and an RRSIG for each of those. There's more stuff in the Authority and Additional section, but that's not relevant to my question.
>>
>> Here's what I see from Phreebird 1.02:
>>
>> ========================================================================
>> $ dig +dnssec dnssec-test.yehoo.org. any
>>
>> ; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec dnssec-test.yehoo.org. any
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31141
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;dnssec-test.yehoo.org. IN ANY
>>
>> ;; ANSWER SECTION:
>> dnssec-test.yehoo.org. 7200 IN RRSIG A 7 3 7200 20111031232342 20111003232342 47384 yehoo.org. u5tckz/oLlUeuQkQ/s2iAuMGpFD61Zhffxf+BTHZ0gAu7rN6ekx6wDNH qoZtdMvTjIg1hZJA9/FPQtHksONg6vQGTPxXgt3XpKiYsodZzetdARmO 3EdOvzD7k59VkwwocWjtmDAHR2zp9x97KpmglqPXBtsO/PaS23KEqX2w bl0=
>> dnssec-test.yehoo.org. 7200 IN AAAA 2001:4998:0:4::1005
>> dnssec-test.yehoo.org. 7200 IN A 66.163.165.151
>>
>> ;; AUTHORITY SECTION:
>> yehoo.org. 172800 IN NS nsdos3.dns.ukl.yahoo.com.
>> yehoo.org. 172800 IN NS nsdos2.dns.ukl.yahoo.com.
>> yehoo.org. 172800 IN RRSIG NS 7 2 172800 20111031200014 20111003200014 47384 yehoo.org. gh075sBA+8DozLx4kbxBx4RiSrQcWNR7iwoanSU0IdRPLXuRg9WeQJPC I6Unc2j8ZvoQlSpCe784q8ccaWjwqXR4V75TuTdLqTtu6srIrYpcn0g2 t0VNNuC5GhNin91ll7KkSlLtQAeezEVe8q7GhVNYnhEQWSLkch44dnvv 1uc=
>>
>> ;; ADDITIONAL SECTION:
>> nsdos2.dns.ukl.yahoo.com. 1800 IN A 217.12.8.29
>> nsdos3.dns.ukl.yahoo.com. 1800 IN A 217.12.8.30
>>
>> ;; Query time: 267 msec
>> ;; SERVER: 74.220.195.27#53(74.220.195.27)
>> ;; WHEN: Tue Oct 4 13:40:31 2011
>> ;; MSG SIZE rcvd: 523
>>
>> ========================================================================
>>
>> Phreebird hands back both the A and the AAAA record, but does not sign the AAAA record.
>>
>> Which behavior is correct, or are they both correct?
>>
>> --
>> perl -le '$"=$,, at _=(1)x4, at a=(0,4,5,4),map+($_<<=6)+=13, at _;for(0..3
>> ){$_[$_]+=1<<$a[$_]if$_;$_[$_]+=$a[$_]}$_[3]+=10,print map chr, at _'
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis
> NeuStar You can leave a voice message at +1-571-434-5468
>
> Vote for the word of the day:
> "Papa"razzi - father that constantly takes photos of the baby
> Corpureaucracy - The institution of corporate "red tape"
--
perl -le '$"=$,, at _=(1)x4, at a=(0,4,5,4),map+($_<<=6)+=13, at _;for(0..3
){$_[$_]+=1<<$a[$_]if$_;$_[$_]+=$a[$_]}$_[3]+=10,print map chr, at _'
More information about the dns-operations
mailing list