[dns-operations] DNSSEC and ANY query

Mark Pettit mark at pettit.org
Tue Oct 4 21:17:50 UTC 2011 

There *is* a DNSKEY at the apex, but an ANY query for it doesn't show it for some reason:

========================================================================
$ dig +dnssec @nsdos2.dns.ukl.yahoo.com. yehoo.org. any   

; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec @nsdos2.dns.ukl.yahoo.com. yehoo.org. any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21518
;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;yehoo.org.			IN	ANY

;; ANSWER SECTION:
yehoo.org.		7200	IN	A	68.180.206.184
yehoo.org.		7200	IN	A	206.190.60.37
yehoo.org.		172800	IN	NS	nsdos2.dns.ukl.yahoo.com.
yehoo.org.		172800	IN	NS	nsdos3.dns.ukl.yahoo.com.
yehoo.org.		7200	IN	SOA	hidden-master.yahoo.com. hostmaster.yahoo-inc.com. 2011100301 28800 3600 1814400 600
yehoo.org.		7200	IN	MX	0 .
yehoo.org.		7200	IN	RRSIG	A 7 2 7200 20111101210208 20111004210208 47384 yehoo.org. OlZqsTV4eG0OdbmzcxCQF6Lffjug3T2PAm8iW2lbvhHB6V16dGZbK2Ew 756HfvW/+Xi2QrSwYLYX1wMSU6gE4CNfxfh4hwJKe2i+4VLO5yB+RJ5B WiZIO9iJeQqjXMPt8tX8C+JfykB665909ZorncwJ6lDn1sm6dkdfWa2y C/8=

;; Query time: 167 msec
;; SERVER: 217.12.8.29#53(217.12.8.29)
;; WHEN: Tue Oct  4 15:16:21 2011
;; MSG SIZE  rcvd: 476

========================================================================

It shows up with a query for it:

========================================================================
$ dig +dnssec @nsdos2.dns.ukl.yahoo.com. yehoo.org. dnskey

; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec @nsdos2.dns.ukl.yahoo.com. yehoo.org. dnskey
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9209
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;yehoo.org.			IN	DNSKEY

;; ANSWER SECTION:
yehoo.org.		3600	IN	DNSKEY	256 3 7 AwEAAduI9STig3x2MoYkn8zx1mUEZNq7nEtm0UOXxyhfBeeMt+ee8ceh FhEcoBGXVeR1v8FmHghpQOHTm7ZEzvvEFKAetFKxHvB+czZ4y+2zBUHj 5pAGf+5JdH8BU4nC4ACxgcGG2Wqo0GVjzWCcNPdTfso22DXAeTmMVFFA 912nb6zv
yehoo.org.		3600	IN	RRSIG	DNSKEY 7 2 3600 20111030034947 20111002034947 47384 yehoo.org. MXwwiUUbiK1fmw9yYXPziz2KUaTHTNcYCvpclF7nKtrDzORGP+dNzCe2 XkG9dMhBPfC93ZOlu3Kxl5B9M5gCQW5bzvvVhknER8XaoNdyyWVG1b3w +hnLdekQJb9lWeUNxjPDHV7v0dEGqxoT+wa30Wo54iCTNkHSVQpUdXeA AKs=

;; Query time: 168 msec
;; SERVER: 217.12.8.29#53(217.12.8.29)
;; WHEN: Tue Oct  4 15:13:27 2011
;; MSG SIZE  rcvd: 373

========================================================================

I'm starting to think Phreebird is full of bugs.

I'm the administrator of yehoo.org, for what it's worth.  The zone file is mostly empty with a couple of records plus a wildcard.

On Oct 4, 2011, at 2:06 PM, Edward Lewis wrote:

> The first dig is what you want to see.
> 
> 
> The latter shows something went wrong in the signing process.
> 
> Looking at yehoo.org./IN/ANY, there's no DNSKEY at the apex, as well as no other records.  I looked there to see if there was an NSEC3PARAM or NSEC record, there was neither, so I couldn't tell if NSEC was missing from dnssec-test.yehoo.org.  (If you signed with NSEC3, there'd be no NSEC3 record not NSEC record in the ANY reply.)
> 
> This tells me there's something wrong in the server too.
> 
> $ dig +dnssec @nsdos2.dns.ukl.yahoo.com. yehoo.org. axfr
> 
> ; <<>> DiG 9.7.2-P3 <<>> +dnssec @nsdos2.dns.ukl.yahoo.com. yehoo.org. axfr
> ; (1 server found)
> ;; global options: +cmd
> 4gajh9kslvt85ujb1f39srq6e5abn1n4.yehoo.org. 0 IN NSEC3 1 0 1 1290 4GAJH9KSLVT85UJB1F39SRQ6E5ABN1N5 RESERVED0 A NS SOA NULL WKS PTR HINFO MX TXT LOC SRV NAPTR CERT DS SSHFP IPSECKEY RRSIG NSEC DNSKEY DHCID NSEC3 NSEC3PARAM SPF
> 4gajh9kslvt85ujb1f39srq6e5abn1n4.yehoo.org. 0 IN RRSIG NSEC3 7 3 0 20111028155327 20110930155327 47384 yehoo.org. ayfpkm3PxdEYx2fbWIu+rWBTIC/1cTp4QjhHnSRVSqHd0FGMcSMseYOG ylbaUHEKzWb4KtDNioqQclCb/PvHiKR8Y+Xjd/Q4OlxVqqk24Aa11HGE v+ZGF5g/derQWvePE6vRXl7mXaVZt0Tca3TPBNwURkeKTYu4hpDeq1z8 QXM=
> ; Transfer failed.
> 
> 
> At 13:57 -0700 10/4/11, Mark Pettit wrote:
>> Digging against the auth server for yehoo.org. doesn't change the ANSWER section:
>> 
>> Here is the BIND answer:
>> 
>> ========================================================================
>> $ dig +dnssec @ams.sns-pb.isc.org. www.isc.org. any
>> 
>> ; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec @ams.sns-pb.isc.org. www.isc.org. any
>> ; (2 servers found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51177
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 5, ADDITIONAL: 13
>> ;; WARNING: recursion requested but not available
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;www.isc.org.			IN	ANY
>> 
>> ;; ANSWER SECTION:
>> www.isc.org.		3600	IN	RRSIG	NSEC 5 3 3600 20111031233230 20111001233230 21693 isc.org. oCAfaSUP2eeUsNFRyX2BNh92aKWvSL0F71PEW59NRs3rHqZ93Fj10lL6 MF4ZR157dKCAbzj4vIfZ1SkW+E9vxOqYz+FJCWEJq809USpuYFRcIVV5 0zP/+B0oYaYmw9gEPaXuYhwB3kWOTt6P2vYl8QHH4TkeTLeBR6rUPRGX sl8=
>> www.isc.org.		3600	IN	NSEC	www-dev.isc.org. A AAAA RRSIG NSEC
>> www.isc.org.		600	IN	RRSIG	AAAA 5 3 600 20111031233230 20111001233230 21693 isc.org. W3UIP7Q2OAgDVSILma/AODvbpH+dXD06s4RG+VensiDCOlAskTPHYnp1 MXxwMtPrkAGXHjNc0iNrsyG2fOV5rpiv6nBXFYsq867edUvDebGgpuYp pqDWgxPwC/UGt41DITzYcWdy0HpvJKYbMjq4Pfq3CnmUU/GINgtgyFyr u4A=
>> www.isc.org.		600	IN	AAAA	2001:4f8:0:2::d
>> www.isc.org.		600	IN	RRSIG	A 5 3 600 20111031233230 20111001233230 21693 isc.org. r2ABZ9DJei4+9pNSVS40puQMGZ9rbH7NMa19xj/jZnRqMwxHxzQjpEKi A97xfJtYJGqDMyyaTwdKAsc8/3HG4XX8cnzSs/7AP6N4XJ9BrxOKp/P7 vQXxf8wiJV/jdGyxzmQL/CH+fuInIG2FJsa3Iohr/MCh4UZWYkOYKctF 7bA=
>> www.isc.org.		600	IN	A	149.20.64.42
>> 
>> ;; AUTHORITY SECTION:
>> isc.org.		7200	IN	NS	ams.sns-pb.isc.org.
>> isc.org.		7200	IN	NS	ns.isc.afilias-nst.info.
>> isc.org.		7200	IN	NS	sfba.sns-pb.isc.org.
>> isc.org.		7200	IN	NS	ord.sns-pb.isc.org.
>> isc.org.		7200	IN	RRSIG	NS 5 2 7200 20111031233230 20111001233230 21693 isc.org. nxYck7i6b45330OXV43MiA+hrV5SQNjFt2ZZmbYl/NkS2FGsDLgU/Oxk nat7Py+VvbBsncXzH8r1+vvB1vi1M1iCeIuzQ+Yfgkiuw0CFHIq2m7mN T/O9uGO67sPGXJ73Emfg3GGkt1sxLuoy5ZbupL1LbjV+yprDpgFCadAM yVI=
>> 
>> ;; ADDITIONAL SECTION:
>> ams.sns-pb.isc.org.	7200	IN	A	199.6.1.30
>> ams.sns-pb.isc.org.	7200	IN	AAAA	2001:500:60::30
>> ord.sns-pb.isc.org.	7200	IN	A	199.6.0.30
>> ord.sns-pb.isc.org.	7200	IN	AAAA	2001:500:71::30
>> sfba.sns-pb.isc.org.	7200	IN	A	149.20.64.3
>> sfba.sns-pb.isc.org.	7200	IN	AAAA	2001:4f8:0:2::19
>> ams.sns-pb.isc.org.	7200	IN	RRSIG	A 5 4 7200 20111031233230 20111001233230 21693 isc.org. tp46ac7qNcCNbigQz+irRwtFT+uUcXhP2bCo8tcpN3egG8TjzeyMZjxa T1jdbWuFOulbXAD0gyvbRehuFSY60h9qFsHP4AexrHqBtosHr48Q0KWE fAAxHZMOQHE6kaS4FdAkVk3FtMVXlFnitBGWrPyXhqPQ/N/EZ7EvU0FU NMI=
>> ams.sns-pb.isc.org.	7200	IN	RRSIG	AAAA 5 4 7200 20111031233230 20111001233230 21693 isc.org. Gf1Vr+eJTNxqovT1QAkaywkJbHb//68epXhmoXaH4lXtMnBnn/cwRh8w 0x2TiGoi9ssGWY/ldPF2VYqiXWe6QIOmPYO/+D7LBSjUCTERgEf3xOgu uZahZWPgMTDzqobPs4DHuXLeGQmCAqdtxa/xKQ1KHuJiMLPxWC73k5Xe pRg=
>> ord.sns-pb.isc.org.	7200	IN	RRSIG	A 5 4 7200 20111031233230 20111001233230 21693 isc.org. ZHRQ6RD/HEsXDXTGK5mdKYzv09/A4CwxdBtjYfWBdIbih+lQaHnFxEnx nnPXkPqPxaz/jCFzQgIDMswQ39Z0YyD6atoykCfTJUXj2mXT/87+culg Et55ihsORdGI+h/uC4dA94I1ZNNNkcIV0gGvGhvdBSkBmQ5GAncSR8EK Zwo=
>> ord.sns-pb.isc.org.	7200	IN	RRSIG	AAAA 5 4 7200 20111031233230 20111001233230 21693 isc.org. b4dtHqeURq6k5+n4kNrVfymeEE3G7hYFN/LRBjlP+yYNb8EFf+TjwiyC tiIH8IjO31W8mICyhFhYZQfL+yLLYC2ADMgLnwh/hlpxoXkun9O0tMqz xHgPDP89brqIiXuI5tRStD7gg5Y9vJQU2r8MQ6sb6ipTloMJQMdAu1Kj aok=
>> sfba.sns-pb.isc.org.	7200	IN	RRSIG	A 5 4 7200 20111031233230 20111001233230 21693 isc.org. mBqkvSczD5qZyrFghl0mpKmrr3+W/FMSEuAp0n41j2kHZc1U/fLmkfOp GiByb7HE9PRbX/ZYovuRbI+NjT5BOa4Cpoa7YPYhfenIrKbWo50crXfq 5I7ZE91asH5JLo3qtzUKHnKutXHZ2JqVcq+1SZO7qx6n+XWRDjXwRreW hCY=
>> sfba.sns-pb.isc.org.	7200	IN	RRSIG	AAAA 5 4 7200 20111031233230 20111001233230 21693 isc.org. t2Wbj5KE9iM4BSZ4MnuLKo92Sl1a9/kOI4INtf/j9/jjvs4ab7dBvz0a vpjnDZgirryjnf9WyQQVsIjupyhamw/v3rm7LTxJHjNROYocWztIG/Ua 75b0zaBa9fxsu7Rmp7/3LnEwFVsfpoULPbKEl2HevTh6jrXw0v2Lxxz1 E9Q=
>> 
>> ;; Query time: 156 msec
>> ;; SERVER: 199.6.1.30#53(199.6.1.30)
>> ;; WHEN: Tue Oct  4 14:51:40 2011
>> ;; MSG SIZE  rcvd: 2022
>> 
>> ========================================================================
>> 
>> And here's Phreebird:
>> 
>> ========================================================================
>> $ dig +dnssec @nsdos2.dns.ukl.yahoo.com. dnssec-test.yehoo.org. any
>> 
>> ; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec @nsdos2.dns.ukl.yahoo.com. dnssec-test.yehoo.org. any
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60407
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;dnssec-test.yehoo.org.		IN	ANY
>> 
>> ;; ANSWER SECTION:
>> dnssec-test.yehoo.org.	7200	IN	A	66.163.165.151
>> dnssec-test.yehoo.org.	7200	IN	AAAA	2001:4998:0:4::1005
>> dnssec-test.yehoo.org.	7200	IN	RRSIG	A 7 3 7200 20111031232342 20111003232342 47384 yehoo.org. u5tckz/oLlUeuQkQ/s2iAuMGpFD61Zhffxf+BTHZ0gAu7rN6ekx6wDNH qoZtdMvTjIg1hZJA9/FPQtHksONg6vQGTPxXgt3XpKiYsodZzetdARmO 3EdOvzD7k59VkwwocWjtmDAHR2zp9x97KpmglqPXBtsO/PaS23KEqX2w bl0=
>> 
>> ;; AUTHORITY SECTION:
>> yehoo.org.		172800	IN	NS	nsdos2.dns.ukl.yahoo.com.
>> yehoo.org.		172800	IN	NS	nsdos3.dns.ukl.yahoo.com.
>> yehoo.org.		172800	IN	RRSIG	NS 7 2 172800 20111031200014 20111003200014 47384 yehoo.org. gh075sBA+8DozLx4kbxBx4RiSrQcWNR7iwoanSU0IdRPLXuRg9WeQJPC I6Unc2j8ZvoQlSpCe784q8ccaWjwqXR4V75TuTdLqTtu6srIrYpcn0g2 t0VNNuC5GhNin91ll7KkSlLtQAeezEVe8q7GhVNYnhEQWSLkch44dnvv 1uc=
>> 
>> ;; Query time: 169 msec
>> ;; SERVER: 217.12.8.29#53(217.12.8.29)
>> ;; WHEN: Tue Oct  4 14:52:34 2011
>> ;; MSG SIZE  rcvd: 598
>> 
>> ========================================================================
>> 
>> Thanks for the reply.  I forgot to dig directly against the authoritative server.
>> 
>> To be clear, when I ask for an AAAA record from Phreebird, it hands back the record along with a signature for the AAAA record.  It just doesn't hand it back when I query for ANY:
>> 
>> ========================================================================
>> $ dig +dnssec @nsdos2.dns.ukl.yahoo.com. dnssec-test.yehoo.org. aaaa
>> 
>> ; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec @nsdos2.dns.ukl.yahoo.com. dnssec-test.yehoo.org. aaaa
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4036
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;dnssec-test.yehoo.org.		IN	AAAA
>> 
>> ;; ANSWER SECTION:
>> dnssec-test.yehoo.org.	7200	IN	AAAA	2001:4998:0:4::1005
>> dnssec-test.yehoo.org.	7200	IN	RRSIG	AAAA 7 3 7200 20111031225907 20111003225907 47384 yehoo.org. WeoTKj/f5oSJmbcqFxC6eiFbhY4V5VHMEijgiv+N8+d00E4oIk+kNoGO ZtT75xhiALXNsCtRJ1ECDqXTagKgDE4yKr1gxGvkh9pRBXWJYUaRZtWR 3S+EkiXnGKCgChjGbCiJuaZnalbPqEgrA0NBz16YvcUlH8APm2dgngxl 5CE=
>> 
>> ;; AUTHORITY SECTION:
>> yehoo.org.		172800	IN	NS	nsdos2.dns.ukl.yahoo.com.
>> yehoo.org.		172800	IN	NS	nsdos3.dns.ukl.yahoo.com.
>> yehoo.org.		172800	IN	RRSIG	NS 7 2 172800 20111031200014 20111003200014 47384 yehoo.org. gh075sBA+8DozLx4kbxBx4RiSrQcWNR7iwoanSU0IdRPLXuRg9WeQJPC I6Unc2j8ZvoQlSpCe784q8ccaWjwqXR4V75TuTdLqTtu6srIrYpcn0g2 t0VNNuC5GhNin91ll7KkSlLtQAeezEVe8q7GhVNYnhEQWSLkch44dnvv 1uc=
>> 
>> ;; Query time: 167 msec
>> ;; SERVER: 217.12.8.29#53(217.12.8.29)
>> ;; WHEN: Tue Oct  4 14:57:03 2011
>> ;; MSG SIZE  rcvd: 561
>> 
>> ========================================================================
>> 
>> On Oct 4, 2011, at 1:47 PM, Edward Lewis wrote:
>> 
>>> Neither answer is an authorative answer (aa flag), so it's hard to isolate.
>>> 
>>> The latter answer is missing a RRSIG(AAAA).  And the NSEC, RRSIG(NSEC) might be missing because they weren't in cache when the ANY query comes in.
>>> 
>>> Try dig @<auth-server> name any
>>> 
>>> and compare the results.
>>> 
>>> 
>>> At 12:43 -0700 10/4/11, Mark Pettit wrote:
>>>> Hi, DNS folks.
>>>> 
>>>> I've recently noticed a difference in behavior between how BIND handles ANY queries for records with both A and AAAA records, and how Phreebird handles them.  I'm curious if either is wrong, and what the spec says, so I thought I'd ask here.
>>>> 
>>>> First, here's how BIND handles an ANY query when the record in question contains both A records and AAAA records:
>>>> 
>>>> ========================================================================
>>>> $ dig +dnssec www.isc.org. any
>>>> 
>>>> ; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec www.isc.org. any
>>>> ;; global options: +cmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3702
>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 5, ADDITIONAL: 5
>>>> 
>>>> ;; OPT PSEUDOSECTION:
>>>> ; EDNS: version: 0, flags: do; udp: 4096
>>>> ;; QUESTION SECTION:
>>>> ;www.isc.org.			IN	ANY
>>>> 
>>>> ;; ANSWER SECTION:
>>>> www.isc.org.		3600	IN	RRSIG	NSEC 5 3 3600 20111031233230 20111001233230 21693 isc.org. oCAfaSUP2eeUsNFRyX2BNh92aKWvSL0F71PEW59NRs3rHqZ93Fj10lL6 MF4ZR157dKCAbzj4vIfZ1SkW+E9vxOqYz+FJCWEJq809USpuYFRcIVV5 0zP/+B0oYaYmw9gEPaXuYhwB3kWOTt6P2vYl8QHH4TkeTLeBR6rUPRGX sl8=
>>>> www.isc.org.		3600	IN	NSEC 	www-dev.isc.org. A AAAA RRSIG NSEC
>>>> www.isc.org.		600	IN	RRSIG	AAAA 5 3 600 20111031233230 20111001233230 21693 isc.org. W3UIP7Q2OAgDVSILma/AODvbpH+dXD06s4RG+VensiDCOlAskTPHYnp1 MXxwMtPrkAGXHjNc0iNrsyG2fOV5rpiv6nBXFYsq867edUvDebGgpuYp pqDWgxPwC/UGt41DITzYcWdy0HpvJKYbMjq4Pfq3CnmUU/GINgtgyFyr u4A=
>>>> www.isc.org.		600	IN	AAAA	2001:4f8:0:2::d
>>>> www.isc.org.		600	IN	RRSIG	A 5 3 600 20111031233230 20111001233230 21693 isc.org. r2ABZ9DJei4+9pNSVS40puQMGZ9rbH7NMa19xj/jZnRqMwxHxzQjpEKi A97xfJtYJGqDMyyaTwdKAsc8/3HG4XX8cnzSs/7AP6N4XJ9BrxOKp/P7 vQXxf8wiJV/jdGyxzmQL/CH+fuInIG2FJsa3Iohr/MCh4UZWYkOYKctF 7bA=
>>>> www.isc.org.		600	IN	A	149.20.64.42
>>>> 
>>>> ;; AUTHORITY SECTION:
>>>> isc.org.		1000	IN	NS	ams.sns-pb.isc.org.
>>>> isc.org.		1000	IN	NS	ns.isc.afilias-nst.info.
>>>> isc.org.		1000	IN	NS	ord.sns-pb.isc.org.
>>>> isc.org.		1000	IN	NS	sfba.sns-pb.isc.org.
>>>> isc.org.		7200	IN	RRSIG	NS 5 2 7200 20111031233230 20111001233230 21693 isc.org. nxYck7i6b45330OXV43MiA+hrV5SQNjFt2ZZmbYl/NkS2FGsDLgU/Oxk nat7Py+VvbBsncXzH8r1+vvB1vi1M1iCeIuzQ+Yfgkiuw0CFHIq2m7mN T/O9uGO67sPGXJ73Emfg3GGkt1sxLuoy5ZbupL1LbjV+yprDpgFCadAM yVI=
>>>> 
>>>> ;; ADDITIONAL SECTION:
>>>> ord.sns-pb.isc.org.	7107	IN	A	199.6.0.30
>>>> ord.sns-pb.isc.org.	7107	IN	AAAA	2001:500:71::30
>>>> ord.sns-pb.isc.org.	7108	IN	RRSIG	A 5 4 7200 20111031233230 20111001233230 21693 isc.org. ZHRQ6RD/HEsXDXTGK5mdKYzv09/A4CwxdBtjYfWBdIbih+lQaHnFxEnx nnPXkPqPxaz/jCFzQgIDMswQ39Z0YyD6atoykCfTJUXj2mXT/87+culg Et55ihsORdGI+h/uC4dA94I1ZNNNkcIV0gGvGhvdBSkBmQ5GAncSR8EK Zwo=
>>>> ord.sns-pb.isc.org.	7108	IN	RRSIG	AAAA 5 4 7200 20111031233230 20111001233230 21693 isc.org. b4dtHqeURq6k5+n4kNrVfymeEE3G7hYFN/LRBjlP+yYNb8EFf+TjwiyC tiIH8IjO31W8mICyhFhYZQfL+yLLYC2ADMgLnwh/hlpxoXkun9O0tMqz xHgPDP89brqIiXuI5tRStD7gg5Y9vJQU2r8MQ6sb6ipTloMJQMdAu1Kj aok=
>>>> 
>>>> ;; Query time: 84 msec
>>>> ;; SERVER: 74.220.195.27#53(74.220.195.27)
>>>> ;; WHEN: Tue Oct  4 13:37:30 2011
>>>> ;; MSG SIZE  rcvd: 1266
>>>> 
>>>> ========================================================================
>>>> 
>>>> As you can see, BIND hands back an NSEC record, an A record, and an AAAA record, and an RRSIG for each of those.  There's more stuff in the Authority and Additional section, but that's not relevant to my question.
>>>> 
>>>> Here's what I see from Phreebird 1.02:
>>>> 
>>>> ========================================================================
>>>> $ dig +dnssec dnssec-test.yehoo.org. any
>>>> 
>>>> ; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec dnssec-test.yehoo.org. any
>>>> ;; global options: +cmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31141
>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3
>>>> 
>>>> ;; OPT PSEUDOSECTION:
>>>> ; EDNS: version: 0, flags: do; udp: 4096
>>>> ;; QUESTION SECTION:
>>>> ;dnssec-test.yehoo.org.		IN	ANY
>>>> 
>>>> ;; ANSWER SECTION:
>>>> dnssec-test.yehoo.org.	7200	IN	RRSIG	A 7 3 7200 20111031232342 20111003232342 47384 yehoo.org. u5tckz/oLlUeuQkQ/s2iAuMGpFD61Zhffxf+BTHZ0gAu7rN6ekx6wDNH qoZtdMvTjIg1hZJA9/FPQtHksONg6vQGTPxXgt3XpKiYsodZzetdARmO 3EdOvzD7k59VkwwocWjtmDAHR2zp9x97KpmglqPXBtsO/PaS23KEqX2w bl0=
>>>> dnssec-test.yehoo.org.	7200	IN	AAAA	2001:4998:0:4::1005
>>>> dnssec-test.yehoo.org.	7200	IN	A	66.163.165.151
>>>> 
>>>> ;; AUTHORITY SECTION:
>>>> yehoo.org.		172800	IN	NS	nsdos3.dns.ukl.yahoo.com.
>>>> yehoo.org.		172800	IN	NS	nsdos2.dns.ukl.yahoo.com.
>>>> yehoo.org.		172800	IN	RRSIG	NS 7 2 172800 20111031200014 20111003200014 47384 yehoo.org. gh075sBA+8DozLx4kbxBx4RiSrQcWNR7iwoanSU0IdRPLXuRg9WeQJPC I6Unc2j8ZvoQlSpCe784q8ccaWjwqXR4V75TuTdLqTtu6srIrYpcn0g2 t0VNNuC5GhNin91ll7KkSlLtQAeezEVe8q7GhVNYnhEQWSLkch44dnvv 1uc=
>>>> 
>>>> ;; ADDITIONAL SECTION:
>>>> nsdos2.dns.ukl.yahoo.com. 1800	IN	A	217.12.8.29
>>>> nsdos3.dns.ukl.yahoo.com. 1800	IN	A	217.12.8.30
>>>> 
>>>> ;; Query time: 267 msec
>>>> ;; SERVER: 74.220.195.27#53(74.220.195.27)
>>>> ;; WHEN: Tue Oct  4 13:40:31 2011
>>>> ;; MSG SIZE  rcvd: 523
>>>> 
>>>> ========================================================================
>>>> 
>>>> Phreebird hands back both the A and the AAAA record, but does not sign the AAAA record.
>>>> 
>>>> Which behavior is correct, or are they both correct?
>>>> 
>>>> --
>>>> perl -le '$"=$,, at _=(1)x4, at a=(0,4,5,4),map+($_<<=6)+=13, at _;for(0..3
>>>> ){$_[$_]+=1<<$a[$_]if$_;$_[$_]+=$a[$_]}$_[3]+=10,print map chr, at _'
>>>> 
>>>> _______________________________________________
>>>> dns-operations mailing list
>>>> dns-operations at lists.dns-oarc.net
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>>> dns-jobs mailing list
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>>> 
>>> --
>>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>>> Edward Lewis
>>> NeuStar                    You can leave a voice message at +1-571-434-5468
>>> 
>>> Vote for the word of the day:
>>> "Papa"razzi - father that constantly takes photos of the baby
>>> Corpureaucracy - The institution of corporate "red tape"
>> 
>> --
>> perl -le '$"=$,, at _=(1)x4, at a=(0,4,5,4),map+($_<<=6)+=13, at _;for(0..3
>> ){$_[$_]+=1<<$a[$_]if$_;$_[$_]+=$a[$_]}$_[3]+=10,print map chr, at _'
> 
> -- 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis
> NeuStar                    You can leave a voice message at +1-571-434-5468
> 
> Vote for the word of the day:
> "Papa"razzi - father that constantly takes photos of the baby
> Corpureaucracy - The institution of corporate "red tape"

--
perl -le '$"=$,, at _=(1)x4, at a=(0,4,5,4),map+($_<<=6)+=13, at _;for(0..3
){$_[$_]+=1<<$a[$_]if$_;$_[$_]+=$a[$_]}$_[3]+=10,print map chr, at _'

More information about the dns-operations mailing list