Behaviour change of dig +dnssec between 9.11 and 9.16
Josef Moellers
jmoellers at suse.de
Tue Jun 29 12:45:50 UTC 2021
Hi,
A colleague has recently upgraded from 9.11.2 to 9.16.6 and has observed
that with a named that supports DNSSEC
on 9.11.2:
dig +dnssec @<server>
did not return any RRSIG (it did on occasion but not consistently).
on 9.16.6:
dig +dnssec @<server>
now consistently returns the RRSIG every time but
dig +dnssec @<server> org NS
does not return any RRSIG, although the "org" name servers (eg
a0.org.afilias-nst.info) do support it.
For the last 1½ weeks, I've been trying to dig (pun intended) through
the bind 9.16.18 source code to find how the RRSIG makes its way to the
user's screen but have failed so far.
Can someone either tell my why the behaviour is as described above, ie
why dig without any name and type returns an RRSIG and when being asked
for the NS record of "org" does not send the signature along.
Thanks, and stay healty!
Josef
--
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
More information about the bind-workers
mailing list