Stephane Bortzmeyer wrote: > I cannot get the NSEC3 records through a BIND resolver if it is > version <= 9.5: > > % dig +dnssec jhfgTCFGD564564.org > > If BIND >= 9.6, it works (or with Unbound). Yes, NSEC3 support was > added in 9.6 but, for older BINDs, TYPE50 (NSEC3) should be an > unknown RR type and should be transmitted as is, no?
BIND <=9.5 doesn't know that it's supposed to pass them in a NXDOMAIN response. That said, I thought it would be possible to explicitely ask for TYPE50. But that seems not to work, either: > ha...@snorri:~$ dig +dnssec jhfgTCFGD564564.org |grep "IN NSEC3" @127.0.0.1 > h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 142 IN NSEC3 1 1 1 D399EAAB > H9RSFB7FPF2L8HG35CMPC765TDK23RP6 NS SOA RRSIG DNSKEY NSEC3PARAM > ha...@snorri:~$ dig +dnssec h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. NSEC3 > @10.0.0.2 >[...] > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6265 >[...] > ;; QUESTION SECTION: > ;h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. IN NSEC3 >[...] > ;; AUTHORITY SECTION: > org. 732 IN SOA a0.org.afilias-nst.info. > noc.afilias-nst.info. 2009057797 1800 900 604800 86400 > org. 732 IN RRSIG SOA 7 1 900 20100331154136 > 20100317144136 4193 org. > i2L/6m7SknlPyZSPm3+9WrSqq+FAKjJLlSu/ec0gKRR2efoRwOY7Qa/8 > cbvFpVEm5h9z9ntCCbGPmejhks/N+mPQP4H/hecnff59N/utzzWuBCZ0 > edIT1LA/Iu6KFMgDK0xdEfH4GPhtgFJwZc+K2TURhQewiOPUY42xHuG6 +IY= I tested this against a much older version, though: > version.bind. 0 CH TXT "9.3.4-P1.2" Hauke.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users