DNSSEC debugging: TC and AD-Flag set?
Tom
tomtux007 at gmail.com
Mon Feb 25 08:54:30 UTC 2019
Hi list
I've enabled deep log-debugging in BIND 9.12.2-P1 (resolver) for DNSSEC
purposes and was wondering, why my resolver received a "authenticated
data" answer from one of the authoritative server for "org."
(199.19.57.1), while the response has the TC (truncated) flag set too:
25-Feb-2019 08:26:05.172 resolver: debug 10: log_ns_ttl: fctx
0x7f89ac0021a0: rctx_answer: dnssec-failed.org (in 'org'?): 1 0
25-Feb-2019 08:26:05.172 dnssec: debug 3: validating
dnssec-failed.org/DS: starting
25-Feb-2019 08:26:05.172 dnssec: debug 3: validating
dnssec-failed.org/DS: attempting positive response validation
25-Feb-2019 08:26:05.172 dnssec: debug 9: validating
dnssec-failed.org/DS: get_key: creating fetch for org DNSKEY
25-Feb-2019 08:26:05.172 resolver: debug 1: fetch: org/DNSKEY
25-Feb-2019 08:26:05.172 resolver: debug 10: log_ns_ttl: fctx
0x7f89a00008c0: fctx_create: org (in 'org'?): 1 0
25-Feb-2019 08:26:05.172 resolver: debug 11: sending packet to
199.19.57.1#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1478
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
; COOKIE: c03358ce09f38ecc
;; QUESTION SECTION:
;org. IN DNSKEY
25-Feb-2019 08:26:05.265 resolver: debug 10: received packet from
199.19.57.1#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1478
;; flags: qr aa tc ad; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;org. IN DNSKEY
...
...
Any hints for this behavior?
Many thanks.
Tom
More information about the bind-users
mailing list