[dns-operations] Possibly-incorrect NSEC responses from many RSOs

Mon Mar 1 17:55:38 UTC 2021

On Mon, Mar 01, 2021 at 05:11:32PM +0000, Tony Finch wrote:

> Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> >
> > The RFC 4035 language is sound for NSEC and DNSKEY, but (and this is a
> > related side topic), I rather think that the specification should have
> > said that queries for "RRSIG" for an extant name should return a single
> > RRSIG of their choice, rather than treat RRSIG records as a normal
> > RRSet.
> 
> There's some relatively feeble verbiage about this in RFC 8482 (minimal
> responses to ANY) - https://tools.ietf.org/html/rfc8482#page-8
> 
> BIND does what you suggest if you turn on the minimal-any option.

Cool, but at first blush the feature appears to have a bug in BIND 9.16.12:

    # dig +noall +ans +nocl +nottl +nosplit +norecur -t rrsig <mydomain>.org @<myserver> | awk '{print $2}' | uniq -c
       1 RRSIG

    # dig +noall +ans +nocl +nottl +nosplit +norecur -t any <mydomain>.org @<myserver> | awk '{print $2}' | uniq -c
       1 RRSIG
       1 NSEC3PARAM
       1 TXT
       2 CAA
       1 MX
       6 NS
       2 TYPE65534
       2 DNSKEY
       7 RRSIG
       1 SOA

It seems to work for "RRSIG", but not in fact for "ANY".  I have:

    options {
        ...
        recursion no;
        minimal-any yes;
        ...
    };

-- 
    Viktor.