[dns-operations] Possibly-incorrect NSEC responses from many RSOs
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Mar 1 18:50:29 UTC 2021
On Mon, Mar 01, 2021 at 07:33:58PM +0100, Anand Buddhdev wrote:
> > Cool, but at first blush the feature appears to have a bug in BIND 9.16.12:
> >
> > # dig +noall +ans +nocl +nottl +nosplit +norecur -t rrsig <mydomain>.org @<myserver> | awk '{print $2}' | uniq -c
> > 1 RRSIG
> >
> > # dig +noall +ans +nocl +nottl +nosplit +norecur -t any <mydomain>.org @<myserver> | awk '{print $2}' | uniq -c
> > 1 RRSIG
> > 1 NSEC3PARAM
> > 1 TXT
> > 2 CAA
> > 1 MX
> > 6 NS
> > 2 TYPE65534
> > 2 DNSKEY
> > 7 RRSIG
> > 1 SOA
>
> This probably has nothing to do with the server. It's a change in
> behaviour in dig. Newer versions of dig use TCP for ANY queries, and so
> you'll get a full response. You have to explicitly use +notcp with an
> ANY query to see the behaviour over UDP. I also ran into this issue and
> was very confused. I even opened a bug report with ISC, only to be told
> that it was a "feature". I don't like this change at all, for many
> reasons. But we're stuck with it.
Ah, that explains it (somewhat surprising, but so be it):
$ dig +notcp +noall +ans +nocl +nottl +nosplit +norecur -t any <mydomain>.org @<myserver> | awk '{print $2}' | uniq -c
1 NSEC3PARAM
Thanks!
--
Viktor.
More information about the dns-operations
mailing list