[dns-operations] Possibly-incorrect NSEC responses from many RSOs

Mon Mar 1 18:33:58 UTC 2021

On 01/03/2021 18:55, Viktor Dukhovni wrote:

Hi Viktor,

> Cool, but at first blush the feature appears to have a bug in BIND 9.16.12:
> 
>     # dig +noall +ans +nocl +nottl +nosplit +norecur -t rrsig <mydomain>.org @<myserver> | awk '{print $2}' | uniq -c
>        1 RRSIG
> 
>     # dig +noall +ans +nocl +nottl +nosplit +norecur -t any <mydomain>.org @<myserver> | awk '{print $2}' | uniq -c
>        1 RRSIG
>        1 NSEC3PARAM
>        1 TXT
>        2 CAA
>        1 MX
>        6 NS
>        2 TYPE65534
>        2 DNSKEY
>        7 RRSIG
>        1 SOA

This probably has nothing to do with the server. It's a change in
behaviour in dig. Newer versions of dig use TCP for ANY queries, and so
you'll get a full response. You have to explicitly use +notcp with an
ANY query to see the behaviour over UDP. I also ran into this issue and
was very confused. I even opened a bug report with ISC, only to be told
that it was a "feature". I don't like this change at all, for many
reasons. But we're stuck with it.

Regards,
Anand