No Response to DNSSEC Requests

Mark Andrews Mark_Andrews at isc.org
Sun Apr 15 23:28:29 UTC 2007 

> I'm running BIND 9.3.4.
> 
> I have the following questions:
> 
>      a) Under what circumstances does BIND not reply to DNSSEC queries?
> 
>      b) How do I get some logging to tell me why it's ignoring DNSSEC
>      queries? (dnssec debug level 3 is entirely silent when it's doing
>      this.)
> 
>      c) Why is it that ns1.cynic.net responds (when queried with dig) to
>      queries for "cynic.net SOA" with and without "+dnssec", responds to
>      queries for "cynic.net MX" without "+dnssec", but is simply silent
>      (no response whatsoever, nothing in the logs) when queried for
>      "cynic.net MX" with "+dnssec"? (A DNSSEC-validating server--also
>      the same version of BIND 9--has the same issue: it can't see the MX
>      records.)

	It does respond.  I think you should look at your firewall.
	The UDP response will be fragmented (1813 bytes in total).
 
> I note also that I can get MXs for ironic.cynic.net just fine, but,
> e.g., arctic.cynic.net doesn't work. It seems that any set of MX records
> that includes cryptic.cynic.net won't be returned for a DNSSEC query.
> 
> cjs
> -- 
> Curt Sampson            <cjs at cynic.net>             +81 90 7737 2974
>    The power of accurate observation is commonly called cynicism
>    by those who have not got it.    --George Bernard Shaw
> 
> 

; <<>> DiG 9.3.3 <<>> cynic.net MX @ns1.cynic.net +dnssec +bufsize=512 +norec +ignore
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1020
;; flags: qr aa tc; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cynic.net.			IN	MX

;; ANSWER SECTION:
cynic.net.		900	IN	MX	20 cryptic.cynic.net.
cynic.net.		900	IN	MX	10 ironic.cynic.net.
cynic.net.		900	IN	MX	15 arctic.cynic.net.
cynic.net.		900	IN	RRSIG	MX 5 2 900 20070714154813 20070415154813 61752 cynic.net. P9rDuZIzjRaejL8MOlnHZc8ImIUoUbinOttNsOVlt1nxGCwYlHepnH4U MV0EUC0Dsv7FY983Uyvpj5eLrMW5EaEhgHrmTjjkusVXdaDVDRAwczzA zMUhEq98jMMAwNhwE8SN4TAVHdzuIzd0BpsF5uE7hzXkCpjDpzqv4SCM 48s=

;; AUTHORITY SECTION:
cynic.net.		900	IN	NS	ns1.cynic.net.
cynic.net.		900	IN	NS	ns2.cynic.net.
cynic.net.		900	IN	NS	ns3.cynic.net.
cynic.net.		900	IN	NS	ns4.cynic.net.

;; Query time: 199 msec
;; SERVER: 125.100.126.243#53(125.100.126.243)
;; WHEN: Mon Apr 16 09:26:09 2007
;; MSG SIZE  rcvd: 349

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list