Re: NSEC3 records not available through a BIND resolver <= 9.5?

In message <20100317172506.gb21...@isc.org>, Evan Hunt writes: > > BIND <=9.5 doesn't know that it's supposed to pass them in a NXDOMAIN > > response. > > Correct, and whoops. We should have backported at least that much > knowledge of NSEC3. Not really. You need a NSEC3 aware path between the

Re: NSEC3 records not available through a BIND resolver <= 9.5?

> BIND <=9.5 doesn't know that it's supposed to pass them in a NXDOMAIN > response. Correct, and whoops. We should have backported at least that much knowledge of NSEC3. > That said, I thought it would be possible to explicitely ask for TYPE50. > But that seems not to work, either: IIRC, RFC 51

Re: NSEC3 records not available through a BIND resolver <= 9.5?

Stephane Bortzmeyer wrote: > I cannot get the NSEC3 records through a BIND resolver if it is > version <= 9.5: > > % dig +dnssec jhfgTCFGD564564.org > > If BIND >= 9.6, it works (or with Unbound). Yes, NSEC3 support was > added in 9.6 but, for older BINDs, TYPE50 (NSEC3) shoul

NSEC3 records not available through a BIND resolver <= 9.5?

I cannot get the NSEC3 records through a BIND resolver if it is version <= 9.5: % dig +dnssec jhfgTCFGD564564.org ; <<>> DiG 9.5.1-P3 <<>> +dnssec @dnssec.generic-nic.net jhfgTCFGD564564.org ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: