NSEC3 records not available through a BIND resolver <= 9.5?

Stephane Bortzmeyer Wed, 17 Mar 2010 09:04:36 -0700

I cannot get the NSEC3 records through a BIND resolver if it is
version <= 9.5:


% dig +dnssec jhfgTCFGD564564.org                   

; <<>> DiG 9.5.1-P3 <<>> +dnssec @dnssec.generic-nic.net jhfgTCFGD564564.org
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1319
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jhfgTCFGD564564.org.           IN      A

;; AUTHORITY SECTION:
org.                    593     IN      SOA     a0.org.afilias-nst.info. 
noc.afilias-nst.info. 2009057797 1800 900 604800 86400
org.                    593     IN      RRSIG   SOA 7 1 900 20100331154136 
20100317144136 4193 org. 
i2L/6m7SknlPyZSPm3+9WrSqq+FAKjJLlSu/ec0gKRR2efoRwOY7Qa/8 
cbvFpVEm5h9z9ntCCbGPmejhks/N+mPQP4H/hecnff59N/utzzWuBCZ0 
edIT1LA/Iu6KFMgDK0xdEfH4GPhtgFJwZc+K2TURhQewiOPUY42xHuG6 +IY=

;; Query time: 1 msec
;; SERVER: 2001:660:3003:3::1:4#53(2001:660:3003:3::1:4)
;; WHEN: Wed Mar 17 17:00:18 2010
;; MSG SIZE  rcvd: 274

If BIND >= 9.6, it works (or with Unbound). Yes, NSEC3 support was
added in 9.6 but, for older BINDs, TYPE50 (NSEC3) should be an 
unknown RR type and should be transmitted as is, no?
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

NSEC3 records not available through a BIND resolver <= 9.5?

Reply via email to