On Wed, 2017-03-08 at 12:09 +0000, Michael Tremer wrote:
> Hmm...
> 
> That's interesting that only AAAA records fail. No idea why the
> system is
> resolving those any ways, but hey...
> 
> So when you do
> 
>   dig @198.41.0.4 a.root-servers.net AAAA +dnssec
> 
> does that work?
> 
> What does
> 
>   dig @8.8.8.8 +sigchase +dnssec www.ipfire.org
> 
> do?
> 
> -Michael
> 
> ---->% massive snippage here %<----

Sorry for the delay. I have to chase everyone off the network and
reboot with another disk (development image) to test, then have to
reboot with Core105 and DNSSEC disabled to resume email :).

Here are the results:

# dig @198.41.0.4 a.root-servers.net AAAA +dnssec

; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 a.root-servers.net AAAA +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65258
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 23 extra bytes at end

;; QUESTION SECTION:
;a.root-servers.net.		IN	AAAA

;; Query time: 1 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Wed Mar 08 09:56:11 CST 2017
;; MSG SIZE  rcvd: 59

# dig @8.8.8.8 +sigchase +dnssec www.ipfire.org
;; Warning: Message parser reports malformed message packet.
;; NO ANSWERS: no more
We want to prove the non-existence of a type of rdata 1 or of the zone: 
;; nothing in authority section : impossible to validate the non-existence : FAILED

;; Impossible to verify the Non-existence, the NSEC RRset can't be validated: FAILED

Thank you,
Paul