[dns-operations] DNSSEC and ANY query

Mark Pettit mark at pettit.org
Tue Oct 4 21:40:47 UTC 2011

On Oct 4, 2011, at 2:36 PM, Paul Wouters wrote:

> While I *think* that might be a bug as well, there might be some RFC material
> on why this could be fine. But the authoritative server should never do this.

The RFC question is the reason I emailed this list.  I'm curious what the "correct" behavior should be.

> It might be because it is serving both yehoo.org. and dnssec-test.yehoo.org on
> the same server, and it is answering as the "parent"? I cannot tell because
> halfway through my queries, you seem to have taken the domain offline.

dnssec-test.yehoo.org. is just a record in the yehoo.org zone.  There's an A record for that name, and an AAAA record, and nothing else.  It's not a separate zone.

I certainly haven't taken the domain offline.  It's still up, and the servers are still answering for it.

For those who are unaware of Phreebird, it's a proxying DNSSEC tool.  It signs responses in-line.  It seems like it has a bug where it'll only sign the first record in the response instead of signing them all.

perl -le '$"=$,, at _=(1)x4, at a=(0,4,5,4),map+($_<<=6)+=13, at _;for(0..3
){$_[$_]+=1<<$a[$_]if$_;$_[$_]+=$a[$_]}$_[3]+=10,print map chr, at _'

More information about the dns-operations mailing list