Re: NSEC3 records not available through a BIND resolver <= 9.5?
In message <20100317172506.gb21...@isc.org>, Evan Hunt writes: > > BIND <=9.5 doesn't know that it's supposed to pass them in a NXDOMAIN > > response. > > Correct, and whoops. We should have backported at least that much > knowledge of NSEC3. Not really. You need a NSEC3 aware path between the validator and the authoritative servers to use NSEC3. This is no different to needing a DNSSEC aware path between the validator and the authoritative server for DNSSEC. Some things just don't work through old servers. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NSEC3 records not available through a BIND resolver <= 9.5?
> BIND <=9.5 doesn't know that it's supposed to pass them in a NXDOMAIN > response. Correct, and whoops. We should have backported at least that much knowledge of NSEC3. > That said, I thought it would be possible to explicitely ask for TYPE50. > But that seems not to work, either: IIRC, RFC 5155 says that authoritative servers must not answer direct queries for NSEC3. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NSEC3 records not available through a BIND resolver <= 9.5?
Stephane Bortzmeyer wrote: > I cannot get the NSEC3 records through a BIND resolver if it is > version <= 9.5: > > % dig +dnssec jhfgTCFGD564564.org > > If BIND >= 9.6, it works (or with Unbound). Yes, NSEC3 support was > added in 9.6 but, for older BINDs, TYPE50 (NSEC3) should be an > unknown RR type and should be transmitted as is, no? BIND <=9.5 doesn't know that it's supposed to pass them in a NXDOMAIN response. That said, I thought it would be possible to explicitely ask for TYPE50. But that seems not to work, either: > ha...@snorri:~$ dig +dnssec jhfgTCFGD564564.org |grep "IN NSEC3" @127.0.0.1 > h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 142 IN NSEC3 1 1 1 D399EAAB > H9RSFB7FPF2L8HG35CMPC765TDK23RP6 NS SOA RRSIG DNSKEY NSEC3PARAM > ha...@snorri:~$ dig +dnssec h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. NSEC3 > @10.0.0.2 >[...] > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6265 >[...] > ;; QUESTION SECTION: > ;h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. IN NSEC3 >[...] > ;; AUTHORITY SECTION: > org. 732 IN SOA a0.org.afilias-nst.info. > noc.afilias-nst.info. 2009057797 1800 900 604800 86400 > org. 732 IN RRSIG SOA 7 1 900 20100331154136 > 20100317144136 4193 org. > i2L/6m7SknlPyZSPm3+9WrSqq+FAKjJLlSu/ec0gKRR2efoRwOY7Qa/8 > cbvFpVEm5h9z9ntCCbGPmejhks/N+mPQP4H/hecnff59N/utzzWuBCZ0 > edIT1LA/Iu6KFMgDK0xdEfH4GPhtgFJwZc+K2TURhQewiOPUY42xHuG6 +IY= I tested this against a much older version, though: > version.bind. 0 CH TXT "9.3.4-P1.2" Hauke. signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
NSEC3 records not available through a BIND resolver <= 9.5?
I cannot get the NSEC3 records through a BIND resolver if it is version <= 9.5: % dig +dnssec jhfgTCFGD564564.org ; <<>> DiG 9.5.1-P3 <<>> +dnssec @dnssec.generic-nic.net jhfgTCFGD564564.org ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1319 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;jhfgTCFGD564564.org. IN A ;; AUTHORITY SECTION: org.593 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2009057797 1800 900 604800 86400 org.593 IN RRSIG SOA 7 1 900 20100331154136 20100317144136 4193 org. i2L/6m7SknlPyZSPm3+9WrSqq+FAKjJLlSu/ec0gKRR2efoRwOY7Qa/8 cbvFpVEm5h9z9ntCCbGPmejhks/N+mPQP4H/hecnff59N/utzzWuBCZ0 edIT1LA/Iu6KFMgDK0xdEfH4GPhtgFJwZc+K2TURhQewiOPUY42xHuG6 +IY= ;; Query time: 1 msec ;; SERVER: 2001:660:3003:3::1:4#53(2001:660:3003:3::1:4) ;; WHEN: Wed Mar 17 17:00:18 2010 ;; MSG SIZE rcvd: 274 If BIND >= 9.6, it works (or with Unbound). Yes, NSEC3 support was added in 9.6 but, for older BINDs, TYPE50 (NSEC3) should be an unknown RR type and should be transmitted as is, no? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users