NSEC3 records not available through a BIND resolver <= 9.5?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Mar 17 16:01:51 UTC 2010
I cannot get the NSEC3 records through a BIND resolver if it is
version <= 9.5:
% dig +dnssec jhfgTCFGD564564.org
; <<>> DiG 9.5.1-P3 <<>> +dnssec @dnssec.generic-nic.net jhfgTCFGD564564.org
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1319
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jhfgTCFGD564564.org. IN A
;; AUTHORITY SECTION:
org. 593 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2009057797 1800 900 604800 86400
org. 593 IN RRSIG SOA 7 1 900 20100331154136 20100317144136 4193 org. i2L/6m7SknlPyZSPm3+9WrSqq+FAKjJLlSu/ec0gKRR2efoRwOY7Qa/8 cbvFpVEm5h9z9ntCCbGPmejhks/N+mPQP4H/hecnff59N/utzzWuBCZ0 edIT1LA/Iu6KFMgDK0xdEfH4GPhtgFJwZc+K2TURhQewiOPUY42xHuG6 +IY=
;; Query time: 1 msec
;; SERVER: 2001:660:3003:3::1:4#53(2001:660:3003:3::1:4)
;; WHEN: Wed Mar 17 17:00:18 2010
;; MSG SIZE rcvd: 274
If BIND >= 9.6, it works (or with Unbound). Yes, NSEC3 support was
added in 9.6 but, for older BINDs, TYPE50 (NSEC3) should be an
unknown RR type and should be transmitted as is, no?
More information about the bind-users
mailing list