search

farrokhi / dnsdiag

DNS Measurement, Troubleshooting and Security Auditing Toolset
https://dnsdiag.org/
BSD 2-Clause "Simplified" License
942 stars 99 forks source link

-t rrsig not working? #14

Closed webernetz closed 8 years ago

webernetz commented 8 years ago

When using the type "-t rrsig", dnsping says "no answer". But it should.

See this example in which I tested it with dig and then with dnsping: weberjoh@jw-nb12:~/dnsdiag$ dig host-dane.weberdns.de rrsig

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> host-dane.weberdns.de rrsig ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7016 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION: ;host-dane.weberdns.de. IN RRSIG

;; ANSWER SECTION: host-dane.weberdns.de. 86400 IN RRSIG NSEC 8 3 86400 20160525191153 20160425185305 57909 weberdns.de. egrLR/5JOOuvOc51PCAKHdwhZeIpF595U8DJ5pruyOihzTkTNxsAYTP7 LSVI9AQ2u6z4ZqiTHDD7+9lS+57bLsVdWVR1g6ohagUQQCgJcxBALe4j TEjcHXQ6uc4fUXLsmbh6L9Puf6FmX7G25/JiOkcxqaoRIR/MKOTNyFAR CPU= host-dane.weberdns.de. 3600 IN RRSIG AAAA 8 3 3600 20160608190707 20160509184934 57909 weberdns.de. JPW5MEgej+zcVflEY/zvndwiRTNlR9+EmtnFZ6DVs9hVApWcDLvCp104 c1pGVQGRSPsNHKuD62N3555Wsr7oW2W7l0TAC7shRuJJ9UxA6H2ODimd cVAfYn6Fye0llHZg5IRnab/WvFktQQtVea30ooiCMPfgiTc6DnhAiRbs xSE=

;; Query time: 9 msec ;; SERVER: 194.25.0.68#53(194.25.0.68) ;; WHEN: Thu May 12 09:35:31 CEST 2016 ;; MSG SIZE rcvd: 381

weberjoh@jw-nb12:~/dnsdiag$ ./dnsping.py -v -t rrsig host-dane.weberdns.de dnsping.py DNS: 194.25.0.68:53, hostname: host-dane.weberdns.de, rdatatype: rrsig No answer No answer No answer No answer No answer No answer No answer No answer No answer No answer

--- 194.25.0.68 dnsping statistics --- 10 requests transmitted, 0 responses received, 100% lost min=0.000 ms, avg=0.000 ms, max=0.000 ms, stddev=0.000 ms

(With other uncommon types such as "-t tlsa", it works, such as: ./dnsping.py -v -t tlsa _443._tcp.host-dane.weberdns.de Great!)

farrokhi commented 8 years ago

This is weird, because when dumping network level information I can see the queries are completed and full answer is being returned (both with dnsping and dig, and both happen over UDP only). I need to look into it more deeply.

BTW, answering to less common types like tlsa is because of the awesome dnspython library that I used in this project. Kudos to them.