No Response to DNSSEC Requests
Curt Sampson
cjs at cynic.net
Sun Apr 15 17:38:46 UTC 2007
I'm running BIND 9.3.4.
I have the following questions:
a) Under what circumstances does BIND not reply to DNSSEC queries?
b) How do I get some logging to tell me why it's ignoring DNSSEC
queries? (dnssec debug level 3 is entirely silent when it's doing
this.)
c) Why is it that ns1.cynic.net responds (when queried with dig) to
queries for "cynic.net SOA" with and without "+dnssec", responds to
queries for "cynic.net MX" without "+dnssec", but is simply silent
(no response whatsoever, nothing in the logs) when queried for
"cynic.net MX" with "+dnssec"? (A DNSSEC-validating server--also
the same version of BIND 9--has the same issue: it can't see the MX
records.)
I note also that I can get MXs for ironic.cynic.net just fine, but,
e.g., arctic.cynic.net doesn't work. It seems that any set of MX records
that includes cryptic.cynic.net won't be returned for a DNSSEC query.
cjs
--
Curt Sampson <cjs at cynic.net> +81 90 7737 2974
The power of accurate observation is commonly called cynicism
by those who have not got it. --George Bernard Shaw
More information about the bind-users
mailing list