[dns-operations] DS-side NSEC query

Mark Andrews marka at isc.org
Fri Jul 29 14:22:40 UTC 2016 

There are no rules for what is the "correct" answer.  Additionally it is
pretty pointless to query for NSEC records.

Mark

In message <30AC0DEA-2029-4295-BD82-1055512CB944 at powerdns.com>, "Peter van Dijk
" writes:
> peter:~ $ dig nsec foo @k.root-servers.net  +norec
>
> ; <<>> DiG 9.11.0a2 <<>> nsec foo @k.root-servers.net +norec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61566
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 11
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;foo.				IN	NSEC
>
> ;; AUTHORITY SECTION:
> foo.			172800	IN	NS	
> ns-tld1.charlestonroadregistry.com.
> foo.			172800	IN	NS	
> ns-tld2.charlestonroadregistry.com.
> foo.			172800	IN	NS	
> ns-tld3.charlestonroadregistry.com.
> foo.			172800	IN	NS	
> ns-tld4.charlestonroadregistry.com.
> foo.			172800	IN	NS	
> ns-tld5.charlestonroadregistry.com.
>
> ;; ADDITIONAL SECTION:
> ns-tld1.charlestonroadregistry.com. 172800 IN AAAA 2001:4860:4802:32::69
> ns-tld2.charlestonroadregistry.com. 172800 IN AAAA 2001:4860:4802:34::69
> ns-tld3.charlestonroadregistry.com. 172800 IN AAAA 2001:4860:4802:36::69
> ns-tld4.charlestonroadregistry.com. 172800 IN AAAA 2001:4860:4802:38::69
> ns-tld5.charlestonroadregistry.com. 172800 IN AAAA 2001:4860:4805::69
> ns-tld1.charlestonroadregistry.com. 172800 IN A	216.239.32.105
> ns-tld2.charlestonroadregistry.com. 172800 IN A	216.239.34.105
> ns-tld3.charlestonroadregistry.com. 172800 IN A	216.239.36.105
> ns-tld4.charlestonroadregistry.com. 172800 IN A	216.239.38.105
> ns-tld5.charlestonroadregistry.com. 172800 IN A	216.239.60.105
>
> ;; Query time: 14 msec
> ;; SERVER: 2001:7fd::1#53(2001:7fd::1)
> ;; WHEN: Fri Jul 29 15:33:01 CEST 2016
> ;; MSG SIZE  rcvd: 388
>
> peter:~ $ dig nsec foo @k.root-servers.net  +norec
>
> ; <<>> DiG 9.11.0a2 <<>> nsec foo @k.root-servers.net +norec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22625
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 25
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;foo.				IN	NSEC
>
> ;; ANSWER SECTION:
> foo.			86400	IN	NSEC	foodnetwork. NS DS RRSIG
> NSEC
>
> ;; AUTHORITY SECTION:
> .			518400	IN	NS	l.root-servers.net.
> .			518400	IN	NS	j.root-servers.net.
> .			518400	IN	NS	g.root-servers.net.
> .			518400	IN	NS	f.root-servers.net.
> .			518400	IN	NS	b.root-servers.net.
> .			518400	IN	NS	d.root-servers.net.
> .			518400	IN	NS	e.root-servers.net.
> .			518400	IN	NS	m.root-servers.net.
> .			518400	IN	NS	k.root-servers.net.
> .			518400	IN	NS	i.root-servers.net.
> .			518400	IN	NS	a.root-servers.net.
> .			518400	IN	NS	h.root-servers.net.
> .			518400	IN	NS	c.root-servers.net.
>
> ;; ADDITIONAL SECTION:
> a.root-servers.net.	3600000	IN	AAAA	2001:503:ba3e::2:30
> b.root-servers.net.	3600000	IN	AAAA	2001:500:84::b
> c.root-servers.net.	3600000	IN	AAAA	2001:500:2::c
> d.root-servers.net.	3600000	IN	AAAA	2001:500:2d::d
> f.root-servers.net.	3600000	IN	AAAA	2001:500:2f::f
> h.root-servers.net.	3600000	IN	AAAA	2001:500:1::53
> i.root-servers.net.	3600000	IN	AAAA	2001:7fe::53
> j.root-servers.net.	3600000	IN	AAAA	2001:503:c27::2:30
> k.root-servers.net.	3600000	IN	AAAA	2001:7fd::1
> l.root-servers.net.	3600000	IN	AAAA	2001:500:9f::42
> m.root-servers.net.	3600000	IN	AAAA	2001:dc3::35
> a.root-servers.net.	3600000	IN	A	198.41.0.4
> b.root-servers.net.	3600000	IN	A	192.228.79.201
> c.root-servers.net.	3600000	IN	A	192.33.4.12
> d.root-servers.net.	3600000	IN	A	199.7.91.13
> e.root-servers.net.	3600000	IN	A	192.203.230.10
> f.root-servers.net.	3600000	IN	A	192.5.5.241
> g.root-servers.net.	3600000	IN	A	192.112.36.4
> h.root-servers.net.	3600000	IN	A	198.97.190.53
> i.root-servers.net.	3600000	IN	A	192.36.148.17
> j.root-servers.net.	3600000	IN	A	192.58.128.30
> k.root-servers.net.	3600000	IN	A	193.0.14.129
> l.root-servers.net.	3600000	IN	A	199.7.83.42
> m.root-servers.net.	3600000	IN	A	202.12.27.33
>
> ;; Query time: 14 msec
> ;; SERVER: 2001:7fd::1#53(2001:7fd::1)
> ;; WHEN: Fri Jul 29 15:33:01 CEST 2016
> ;; MSG SIZE  rcvd: 792
>
>
> Based on +nsid and version.bind, the delegation response comes from Knot
> and NSD, while BIND serves the NSEC. If I had to choose, I would
> consider the Knot/NSD behaviour correct, but at least two people Ive
> spoken to either disagree or feel that this is a sufficiently gray area
> that either is fine.
>
> Opinions?
>
> Kind regards,
> --
> Peter van Dijk
> PowerDNS.COM BV - https://www.powerdns.com/
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list