NSEC3 records not available through a BIND resolver <= 9.5?
Hauke Lampe
list+bindusers at hauke-lampe.de
Wed Mar 17 16:34:35 UTC 2010
Stephane Bortzmeyer wrote:
> I cannot get the NSEC3 records through a BIND resolver if it is
> version <= 9.5:
>
> % dig +dnssec jhfgTCFGD564564.org
>
> If BIND >= 9.6, it works (or with Unbound). Yes, NSEC3 support was
> added in 9.6 but, for older BINDs, TYPE50 (NSEC3) should be an
> unknown RR type and should be transmitted as is, no?
BIND <=9.5 doesn't know that it's supposed to pass them in a NXDOMAIN
response.
That said, I thought it would be possible to explicitely ask for TYPE50.
But that seems not to work, either:
> hauke at snorri:~$ dig +dnssec jhfgTCFGD564564.org |grep "IN NSEC3" @127.0.0.1
> h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 142 IN NSEC3 1 1 1 D399EAAB H9RSFB7FPF2L8HG35CMPC765TDK23RP6 NS SOA RRSIG DNSKEY NSEC3PARAM
> hauke at snorri:~$ dig +dnssec h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. NSEC3 @10.0.0.2
>[...]
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6265
>[...]
> ;; QUESTION SECTION:
> ;h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. IN NSEC3
>[...]
> ;; AUTHORITY SECTION:
> org. 732 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2009057797 1800 900 604800 86400
> org. 732 IN RRSIG SOA 7 1 900 20100331154136 20100317144136 4193 org. i2L/6m7SknlPyZSPm3+9WrSqq+FAKjJLlSu/ec0gKRR2efoRwOY7Qa/8 cbvFpVEm5h9z9ntCCbGPmejhks/N+mPQP4H/hecnff59N/utzzWuBCZ0 edIT1LA/Iu6KFMgDK0xdEfH4GPhtgFJwZc+K2TURhQewiOPUY42xHuG6 +IY=
I tested this against a much older version, though:
> version.bind. 0 CH TXT "9.3.4-P1.2"
Hauke.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100317/a7298182/attachment.bin>
More information about the bind-users
mailing list