Different DNSSEC behaviour between two old versions
raf
bind at raf.org
Fri Aug 6 01:56:06 UTC 2021
Hi,
Firstly, I'd like to thank everyone involved with making bind.
I'm used to using old versions (9.10.3 on an old ubuntu host)
and (9.11.5 on debian-10 stable). And just as I'm about to start
using DNSSEC for my domains, debian-11 stable is about to come
out in a few days with bind-9.16.15 which will make DNSSEC so
much easier than I was expecting. Thanks again.
Now to my question. I've seen an odd difference in behaviour
between 9.10.3 and 9.11.5 relating to DNSSEC, and I was wondering
if anyone knows the reason.
With both servers configured with "dnssec-validation auto",
9.10.3 won't resolve tools.ietf.org or datatracker.ietf.org,
but 9.11.5 will resolve them. 9.10.3 will only resolve them
without "dnssec-validation auto". Below is some dig output.
Any thoughts?
cheers,
raf
Bind-9.10.3 (old ubuntu) without dnssec-validation auto:
> dig tools.ietf.org +dnssec
; <<>> DiG 9.10.3-P4-Ubuntu <<>> tools.ietf.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2577
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;tools.ietf.org. IN A
;; ANSWER SECTION:
tools.ietf.org. 600 IN A 4.31.198.62
tools.ietf.org. 600 IN A 64.170.98.42
;; Query time: 466 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 06 11:02:57 AEST 2021
;; MSG SIZE rcvd: 75
Bind-9.10.3 (old ubuntu) with dnssec-validation auto:
> dig tools.ietf.org +dnssec
; <<>> DiG 9.10.3-P4-Ubuntu <<>> tools.ietf.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22456
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;tools.ietf.org. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 06 11:20:27 AEST 2021
;; MSG SIZE rcvd: 43
Bind-9.11.5 (debian-10) with dnssec-validation auto:
> dig tools.ietf.org +dnssec
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> tools.ietf.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10705
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: bc0cbf3fc280195cff2fc080610c8f2371a53d64a2a8f7b4 (good)
;; QUESTION SECTION:
;tools.ietf.org. IN A
;; ANSWER SECTION:
tools.ietf.org. 600 IN A 4.31.198.62
tools.ietf.org. 600 IN A 64.170.98.42
;; AUTHORITY SECTION:
tools.ietf.org. 560 IN NS zinfandel.levkowetz.com.
tools.ietf.org. 560 IN NS dunkelfelder.levkowetz.com.
tools.ietf.org. 560 IN NS dechaunac.levkowetz.com.
tools.ietf.org. 560 IN NS heroldrebe.levkowetz.com.
;; ADDITIONAL SECTION:
dechaunac.levkowetz.com. 126039 IN A 4.31.198.62
zinfandel.levkowetz.com. 126039 IN A 64.170.98.42
heroldrebe.levkowetz.com. 126039 IN A 194.8.197.114
dunkelfelder.levkowetz.com. 126039 IN A 217.69.81.146
dechaunac.levkowetz.com. 126039 IN AAAA 2001:1900:3001:11::3e
zinfandel.levkowetz.com. 126039 IN AAAA 2001:1890:126c::1:2a
heroldrebe.levkowetz.com. 126039 IN AAAA 2001:4dd0:200:405:dc40::1
dunkelfelder.levkowetz.com. 126039 IN AAAA 2001:aa8:ffdc::42
;; Query time: 277 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 06 11:23:47 AEST 2021
;; MSG SIZE rcvd: 392
More information about the bind-users
mailing list