NSEC3 records not available through a BIND resolver = 9.5?
I cannot get the NSEC3 records through a BIND resolver if it is version = 9.5: % dig +dnssec jhfgTCFGD564564.org ; DiG 9.5.1-P3 +dnssec @dnssec.generic-nic.net jhfgTCFGD564564.org ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 1319 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;jhfgTCFGD564564.org. IN A ;; AUTHORITY SECTION: org.593 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2009057797 1800 900 604800 86400 org.593 IN RRSIG SOA 7 1 900 20100331154136 20100317144136 4193 org. i2L/6m7SknlPyZSPm3+9WrSqq+FAKjJLlSu/ec0gKRR2efoRwOY7Qa/8 cbvFpVEm5h9z9ntCCbGPmejhks/N+mPQP4H/hecnff59N/utzzWuBCZ0 edIT1LA/Iu6KFMgDK0xdEfH4GPhtgFJwZc+K2TURhQewiOPUY42xHuG6 +IY= ;; Query time: 1 msec ;; SERVER: 2001:660:3003:3::1:4#53(2001:660:3003:3::1:4) ;; WHEN: Wed Mar 17 17:00:18 2010 ;; MSG SIZE rcvd: 274 If BIND = 9.6, it works (or with Unbound). Yes, NSEC3 support was added in 9.6 but, for older BINDs, TYPE50 (NSEC3) should be an unknown RR type and should be transmitted as is, no? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NSEC3 records not available through a BIND resolver = 9.5?
Stephane Bortzmeyer wrote: I cannot get the NSEC3 records through a BIND resolver if it is version = 9.5: % dig +dnssec jhfgTCFGD564564.org If BIND = 9.6, it works (or with Unbound). Yes, NSEC3 support was added in 9.6 but, for older BINDs, TYPE50 (NSEC3) should be an unknown RR type and should be transmitted as is, no? BIND =9.5 doesn't know that it's supposed to pass them in a NXDOMAIN response. That said, I thought it would be possible to explicitely ask for TYPE50. But that seems not to work, either: ha...@snorri:~$ dig +dnssec jhfgTCFGD564564.org |grep IN NSEC3 @127.0.0.1 h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 142 IN NSEC3 1 1 1 D399EAAB H9RSFB7FPF2L8HG35CMPC765TDK23RP6 NS SOA RRSIG DNSKEY NSEC3PARAM ha...@snorri:~$ dig +dnssec h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. NSEC3 @10.0.0.2 [...] ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 6265 [...] ;; QUESTION SECTION: ;h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. IN NSEC3 [...] ;; AUTHORITY SECTION: org. 732 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2009057797 1800 900 604800 86400 org. 732 IN RRSIG SOA 7 1 900 20100331154136 20100317144136 4193 org. i2L/6m7SknlPyZSPm3+9WrSqq+FAKjJLlSu/ec0gKRR2efoRwOY7Qa/8 cbvFpVEm5h9z9ntCCbGPmejhks/N+mPQP4H/hecnff59N/utzzWuBCZ0 edIT1LA/Iu6KFMgDK0xdEfH4GPhtgFJwZc+K2TURhQewiOPUY42xHuG6 +IY= I tested this against a much older version, though: version.bind. 0 CH TXT 9.3.4-P1.2 Hauke. signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users