Behaviour change of dig +dnssec between 9.11 and 9.16

Josef Moellers jmoellers at
Tue Jun 29 12:45:50 UTC 2021


A colleague has recently upgraded from 9.11.2 to 9.16.6 and has observed
that with a named that supports DNSSEC

on 9.11.2:
dig +dnssec @<server>
did not return any RRSIG (it did on occasion but not consistently).

on 9.16.6:
dig +dnssec @<server>
now consistently returns the RRSIG every time but
dig +dnssec @<server> org NS
does not return any RRSIG, although the "org" name servers (eg do support it.

For the last 1½ weeks, I've been trying to dig (pun intended) through
the bind 9.16.18 source code to find how the RRSIG makes its way to the
user's screen but have failed so far.
Can someone either tell my why the behaviour is as described above, ie
why dig without any name and type returns an RRSIG and when being asked
for the NS record of "org" does not send the signature along.

Thanks, and stay healty!

SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer

More information about the bind-workers mailing list