From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Simmons To: development@lists.ipfire.org Subject: Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable Date: Wed, 08 Mar 2017 10:19:41 -0600 Message-ID: <1488989981.4066.7.camel@hughes.net> In-Reply-To: <1488974994.24229.38.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5099024754595649614==" List-Id: --===============5099024754595649614== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Wed, 2017-03-08 at 12:09 +0000, Michael Tremer wrote: > Hmm... >=20 > That's interesting that only AAAA records fail. No idea why the > system is > resolving those any ways, but hey... >=20 > So when you do >=20 > =C2=A0 dig @198.41.0.4 a.root-servers.net AAAA +dnssec >=20 > does that work? >=20 > What does >=20 > =C2=A0 dig @8.8.8.8 +sigchase +dnssec www.ipfire.org >=20 > do? >=20 > -Michael >=20 > ---->% massive snippage here %<---- Sorry for the delay. I have to chase everyone off the network and reboot with another disk (development image) to test, then have to reboot with Core105 and DNSSEC disabled to resume email :). Here are the results: # dig @198.41.0.4 a.root-servers.net AAAA +dnssec ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 a.root-servers.net AAAA +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65258 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: Message has 23 extra bytes at end ;; QUESTION SECTION: ;a.root-servers.net. IN AAAA ;; Query time: 1 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Wed Mar 08 09:56:11 CST 2017 ;; MSG SIZE=C2=A0=C2=A0rcvd: 59 # dig @8.8.8.8 +sigchase +dnssec www.ipfire.org ;; Warning: Message parser reports malformed message packet. ;; NO ANSWERS: no more We want to prove the non-existence of a type of rdata 1 or of the zone:=20 ;; nothing in authority section : impossible to validate the non-existence : = FAILED ;; Impossible to verify the Non-existence, the NSEC RRset can't be validated:= FAILED Thank you, Paul --===============5099024754595649614==--