No Response to DNSSEC Requests
Mark Andrews
Mark_Andrews at isc.org
Sun Apr 15 23:28:29 UTC 2007
> I'm running BIND 9.3.4.
>
> I have the following questions:
>
> a) Under what circumstances does BIND not reply to DNSSEC queries?
>
> b) How do I get some logging to tell me why it's ignoring DNSSEC
> queries? (dnssec debug level 3 is entirely silent when it's doing
> this.)
>
> c) Why is it that ns1.cynic.net responds (when queried with dig) to
> queries for "cynic.net SOA" with and without "+dnssec", responds to
> queries for "cynic.net MX" without "+dnssec", but is simply silent
> (no response whatsoever, nothing in the logs) when queried for
> "cynic.net MX" with "+dnssec"? (A DNSSEC-validating server--also
> the same version of BIND 9--has the same issue: it can't see the MX
> records.)
It does respond. I think you should look at your firewall.
The UDP response will be fragmented (1813 bytes in total).
> I note also that I can get MXs for ironic.cynic.net just fine, but,
> e.g., arctic.cynic.net doesn't work. It seems that any set of MX records
> that includes cryptic.cynic.net won't be returned for a DNSSEC query.
>
> cjs
> --
> Curt Sampson <cjs at cynic.net> +81 90 7737 2974
> The power of accurate observation is commonly called cynicism
> by those who have not got it. --George Bernard Shaw
>
>
; <<>> DiG 9.3.3 <<>> cynic.net MX @ns1.cynic.net +dnssec +bufsize=512 +norec +ignore
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1020
;; flags: qr aa tc; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cynic.net. IN MX
;; ANSWER SECTION:
cynic.net. 900 IN MX 20 cryptic.cynic.net.
cynic.net. 900 IN MX 10 ironic.cynic.net.
cynic.net. 900 IN MX 15 arctic.cynic.net.
cynic.net. 900 IN RRSIG MX 5 2 900 20070714154813 20070415154813 61752 cynic.net. P9rDuZIzjRaejL8MOlnHZc8ImIUoUbinOttNsOVlt1nxGCwYlHepnH4U MV0EUC0Dsv7FY983Uyvpj5eLrMW5EaEhgHrmTjjkusVXdaDVDRAwczzA zMUhEq98jMMAwNhwE8SN4TAVHdzuIzd0BpsF5uE7hzXkCpjDpzqv4SCM 48s=
;; AUTHORITY SECTION:
cynic.net. 900 IN NS ns1.cynic.net.
cynic.net. 900 IN NS ns2.cynic.net.
cynic.net. 900 IN NS ns3.cynic.net.
cynic.net. 900 IN NS ns4.cynic.net.
;; Query time: 199 msec
;; SERVER: 125.100.126.243#53(125.100.126.243)
;; WHEN: Mon Apr 16 09:26:09 2007
;; MSG SIZE rcvd: 349
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list