puzzling answer of dig with +sigchase/NSEC3
Evan Hunt
each at isc.org
Mon Nov 9 17:24:29 UTC 2009
On Mon, Nov 09, 2009 at 04:47:02PM +0100, Klaus Malorny wrote:
> I would have expected to get a "SUCCESS" also, i.e. that the negative
> answer could have been validated so far. Did I miss anything? For zones
> using NSEC, like "se", this seems to work. Is there no full support for
> NSEC3 in dig yet?
Unfortunately, no.
ISC didn't write the "dig +sigchase" code; it was contributed to us by the
IDsA project, and we haven't done much to maintain it. It's somewhat buggy
and fragile code, which is why it's #ifdef'd out. We've planned for years
to overhaul or rewrite it, add NSEC3 and DLV support, and take out the
#ifdef's, but so far that's always fallen to time and resource limits.
Until we do have a proper DNSSEC-aware dig, you might try "drill" from
the Unbound project.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list