puzzling answer of dig with +sigchase/NSEC3

Evan Hunt each at isc.org
Mon Nov 9 17:24:29 UTC 2009

On Mon, Nov 09, 2009 at 04:47:02PM +0100, Klaus Malorny wrote:
> I would have expected to get a "SUCCESS" also, i.e. that the negative 
> answer could have been validated so far. Did I miss anything?  For zones 
> using NSEC, like "se", this seems to work. Is there no full support for 
> NSEC3 in dig yet?

Unfortunately, no.

ISC didn't write the "dig +sigchase" code; it was contributed to us by the
IDsA project, and we haven't done much to maintain it.  It's somewhat buggy
and fragile code, which is why it's #ifdef'd out.  We've planned for years
to overhaul or rewrite it, add NSEC3 and DLV support, and take out the
#ifdef's, but so far that's always fallen to time and resource limits.

Until we do have a proper DNSSEC-aware dig, you might try "drill" from
the Unbound project.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list