[dns-operations] Possibly-incorrect NSEC responses from many RSOs

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 1 18:50:29 UTC 2021


On Mon, Mar 01, 2021 at 07:33:58PM +0100, Anand Buddhdev wrote:

> > Cool, but at first blush the feature appears to have a bug in BIND 9.16.12:
> > 
> >     # dig +noall +ans +nocl +nottl +nosplit +norecur -t rrsig <mydomain>.org @<myserver> | awk '{print $2}' | uniq -c
> >        1 RRSIG
> > 
> >     # dig +noall +ans +nocl +nottl +nosplit +norecur -t any <mydomain>.org @<myserver> | awk '{print $2}' | uniq -c
> >        1 RRSIG
> >        1 NSEC3PARAM
> >        1 TXT
> >        2 CAA
> >        1 MX
> >        6 NS
> >        2 TYPE65534
> >        2 DNSKEY
> >        7 RRSIG
> >        1 SOA
> 
> This probably has nothing to do with the server. It's a change in
> behaviour in dig. Newer versions of dig use TCP for ANY queries, and so
> you'll get a full response. You have to explicitly use +notcp with an
> ANY query to see the behaviour over UDP. I also ran into this issue and
> was very confused. I even opened a bug report with ISC, only to be told
> that it was a "feature". I don't like this change at all, for many
> reasons. But we're stuck with it.

Ah, that explains it (somewhat surprising, but so be it):

    $ dig +notcp +noall +ans +nocl +nottl +nosplit +norecur -t any <mydomain>.org @<myserver> | awk '{print $2}' | uniq -c
       1 NSEC3PARAM

Thanks!

-- 
    Viktor.


More information about the dns-operations mailing list