Different DNSSEC behaviour between two old versions

raf bind at raf.org
Fri Aug 6 01:56:06 UTC 2021


Hi,

Firstly, I'd like to thank everyone involved with making bind.
I'm used to using old versions (9.10.3 on an old ubuntu host)
and (9.11.5 on debian-10 stable). And just as I'm about to start
using DNSSEC for my domains, debian-11 stable is about to come
out in a few days with bind-9.16.15 which will make DNSSEC so
much easier than I was expecting. Thanks again.

Now to my question. I've seen an odd difference in behaviour
between 9.10.3 and 9.11.5 relating to DNSSEC, and I was wondering
if anyone knows the reason.

With both servers configured with "dnssec-validation auto",
9.10.3 won't resolve tools.ietf.org or datatracker.ietf.org,
but 9.11.5 will resolve them. 9.10.3 will only resolve them
without "dnssec-validation auto". Below is some dig output.

Any thoughts?

cheers,
raf

Bind-9.10.3 (old ubuntu) without dnssec-validation auto:

    > dig tools.ietf.org +dnssec

    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> tools.ietf.org +dnssec
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2577
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;tools.ietf.org.                        IN      A

    ;; ANSWER SECTION:
    tools.ietf.org.         600     IN      A       4.31.198.62
    tools.ietf.org.         600     IN      A       64.170.98.42

    ;; Query time: 466 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Fri Aug 06 11:02:57 AEST 2021
    ;; MSG SIZE  rcvd: 75

Bind-9.10.3 (old ubuntu) with dnssec-validation auto:

    > dig tools.ietf.org +dnssec

    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> tools.ietf.org +dnssec
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22456
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;tools.ietf.org.                        IN      A

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Fri Aug 06 11:20:27 AEST 2021
    ;; MSG SIZE  rcvd: 43

Bind-9.11.5 (debian-10) with dnssec-validation auto:

    > dig tools.ietf.org +dnssec

    ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> tools.ietf.org +dnssec
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10705
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 9

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ; COOKIE: bc0cbf3fc280195cff2fc080610c8f2371a53d64a2a8f7b4 (good)
    ;; QUESTION SECTION:
    ;tools.ietf.org.                        IN      A

    ;; ANSWER SECTION:
    tools.ietf.org.         600     IN      A       4.31.198.62
    tools.ietf.org.         600     IN      A       64.170.98.42

    ;; AUTHORITY SECTION:
    tools.ietf.org.         560     IN      NS      zinfandel.levkowetz.com.
    tools.ietf.org.         560     IN      NS      dunkelfelder.levkowetz.com.
    tools.ietf.org.         560     IN      NS      dechaunac.levkowetz.com.
    tools.ietf.org.         560     IN      NS      heroldrebe.levkowetz.com.

    ;; ADDITIONAL SECTION:
    dechaunac.levkowetz.com. 126039 IN      A       4.31.198.62
    zinfandel.levkowetz.com. 126039 IN      A       64.170.98.42
    heroldrebe.levkowetz.com. 126039 IN     A       194.8.197.114
    dunkelfelder.levkowetz.com. 126039 IN   A       217.69.81.146
    dechaunac.levkowetz.com. 126039 IN      AAAA    2001:1900:3001:11::3e
    zinfandel.levkowetz.com. 126039 IN      AAAA    2001:1890:126c::1:2a
    heroldrebe.levkowetz.com. 126039 IN     AAAA    2001:4dd0:200:405:dc40::1
    dunkelfelder.levkowetz.com. 126039 IN   AAAA    2001:aa8:ffdc::42

    ;; Query time: 277 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Fri Aug 06 11:23:47 AEST 2021
    ;; MSG SIZE  rcvd: 392



More information about the bind-users mailing list