dig -- only RRSIG present.

Spain, Dr. Jeffry A. spainj at countryday.net
Mon Feb 13 02:59:42 UTC 2012


> As Tony Finch pointed out to me a few days ago, the Google public servers don't understand that fact about DS records, and don't know to ask for them in the parent. But here's something interesting - as of my testing just now, they *do* respond with DS records

This thread has been kind of confusing, but looking again at the original post (https://lists.isc.org/pipermail/bind-users/2012-February/086586.html), the author was concerned about the lack of DS records in response to his queries. Those two queries, directed to Google's server at 8.8.8.8, were:
dig +dnssec -t SOA org
dig +dnssec -t SOA org 198.41.0.4

I don't think any DS records should have been provided in the answers since SOA records were being requested. Your query:
dig isc.org @8.8.8.8 ds +dnssec
is requesting and receiving DS records, on the other hand.

I also see Mark's post just now where 'dig @8.8.8.8 ds org.' returns SERVFAIL while 'dig @8.8.8.8 ds isc.org.' returns the appropriate DS records. The same thing happens for me with 'dig @8.8.8.8 ds net.' and 'dig @8.8.8.8 ds jaspain.net.', and with 'dig @8.8.8.8 ds com.' and 'dig @8.8.8.8 ds countryday.com.'. Clearly Google's server is malfunctioning in this regard.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School




More information about the bind-users mailing list