[dns-operations] DS-side NSEC query

Peter van Dijk peter.van.dijk at powerdns.com
Fri Jul 29 13:34:43 UTC 2016 

[peter:~] $ dig nsec foo @k.root-servers.net  +norec

; <<>> DiG 9.11.0a2 <<>> nsec foo @k.root-servers.net +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61566
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 11

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;foo.				IN	NSEC

;; AUTHORITY SECTION:
foo.			172800	IN	NS	ns-tld1.charlestonroadregistry.com.
foo.			172800	IN	NS	ns-tld2.charlestonroadregistry.com.
foo.			172800	IN	NS	ns-tld3.charlestonroadregistry.com.
foo.			172800	IN	NS	ns-tld4.charlestonroadregistry.com.
foo.			172800	IN	NS	ns-tld5.charlestonroadregistry.com.

;; ADDITIONAL SECTION:
ns-tld1.charlestonroadregistry.com. 172800 IN AAAA 2001:4860:4802:32::69
ns-tld2.charlestonroadregistry.com. 172800 IN AAAA 2001:4860:4802:34::69
ns-tld3.charlestonroadregistry.com. 172800 IN AAAA 2001:4860:4802:36::69
ns-tld4.charlestonroadregistry.com. 172800 IN AAAA 2001:4860:4802:38::69
ns-tld5.charlestonroadregistry.com. 172800 IN AAAA 2001:4860:4805::69
ns-tld1.charlestonroadregistry.com. 172800 IN A	216.239.32.105
ns-tld2.charlestonroadregistry.com. 172800 IN A	216.239.34.105
ns-tld3.charlestonroadregistry.com. 172800 IN A	216.239.36.105
ns-tld4.charlestonroadregistry.com. 172800 IN A	216.239.38.105
ns-tld5.charlestonroadregistry.com. 172800 IN A	216.239.60.105

;; Query time: 14 msec
;; SERVER: 2001:7fd::1#53(2001:7fd::1)
;; WHEN: Fri Jul 29 15:33:01 CEST 2016
;; MSG SIZE  rcvd: 388

[peter:~] $ dig nsec foo @k.root-servers.net  +norec

; <<>> DiG 9.11.0a2 <<>> nsec foo @k.root-servers.net +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22625
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 25

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;foo.				IN	NSEC

;; ANSWER SECTION:
foo.			86400	IN	NSEC	foodnetwork. NS DS RRSIG NSEC

;; AUTHORITY SECTION:
.			518400	IN	NS	l.root-servers.net.
.			518400	IN	NS	j.root-servers.net.
.			518400	IN	NS	g.root-servers.net.
.			518400	IN	NS	f.root-servers.net.
.			518400	IN	NS	b.root-servers.net.
.			518400	IN	NS	d.root-servers.net.
.			518400	IN	NS	e.root-servers.net.
.			518400	IN	NS	m.root-servers.net.
.			518400	IN	NS	k.root-servers.net.
.			518400	IN	NS	i.root-servers.net.
.			518400	IN	NS	a.root-servers.net.
.			518400	IN	NS	h.root-servers.net.
.			518400	IN	NS	c.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.	3600000	IN	AAAA	2001:503:ba3e::2:30
b.root-servers.net.	3600000	IN	AAAA	2001:500:84::b
c.root-servers.net.	3600000	IN	AAAA	2001:500:2::c
d.root-servers.net.	3600000	IN	AAAA	2001:500:2d::d
f.root-servers.net.	3600000	IN	AAAA	2001:500:2f::f
h.root-servers.net.	3600000	IN	AAAA	2001:500:1::53
i.root-servers.net.	3600000	IN	AAAA	2001:7fe::53
j.root-servers.net.	3600000	IN	AAAA	2001:503:c27::2:30
k.root-servers.net.	3600000	IN	AAAA	2001:7fd::1
l.root-servers.net.	3600000	IN	AAAA	2001:500:9f::42
m.root-servers.net.	3600000	IN	AAAA	2001:dc3::35
a.root-servers.net.	3600000	IN	A	198.41.0.4
b.root-servers.net.	3600000	IN	A	192.228.79.201
c.root-servers.net.	3600000	IN	A	192.33.4.12
d.root-servers.net.	3600000	IN	A	199.7.91.13
e.root-servers.net.	3600000	IN	A	192.203.230.10
f.root-servers.net.	3600000	IN	A	192.5.5.241
g.root-servers.net.	3600000	IN	A	192.112.36.4
h.root-servers.net.	3600000	IN	A	198.97.190.53
i.root-servers.net.	3600000	IN	A	192.36.148.17
j.root-servers.net.	3600000	IN	A	192.58.128.30
k.root-servers.net.	3600000	IN	A	193.0.14.129
l.root-servers.net.	3600000	IN	A	199.7.83.42
m.root-servers.net.	3600000	IN	A	202.12.27.33

;; Query time: 14 msec
;; SERVER: 2001:7fd::1#53(2001:7fd::1)
;; WHEN: Fri Jul 29 15:33:01 CEST 2016
;; MSG SIZE  rcvd: 792


Based on +nsid and version.bind, the delegation response comes from Knot 
and NSD, while BIND serves the NSEC. If I had to choose, I would 
consider the Knot/NSD behaviour correct, but at least two people I’ve 
spoken to either disagree or feel that this is a sufficiently gray area 
that either is fine.

Opinions?

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dns-operations mailing list