search

getdnsapi / stubby

Stubby is the name given to a mode of using getdns which enables it to act as a local DNS Privacy stub resolver (using DNS-over-TLS).
https://dnsprivacy.org/dns_privacy_daemon_-_stubby/
BSD 3-Clause "New" or "Revised" License
1.17k stars 97 forks source link

"dig any" not working with stubby #226

Open ghost opened 4 years ago

ghost commented 4 years ago

Now that I have stubby and DNSSEC working, I have a problem with dig any. When I use stubby, a normal dig command works fine. I can also ask for specific records types such as A or MX, but ANY is not working.

When I explicitly use the DNS server from the stubby.yml via @ip_of_my_dns_server, dig any works fine.

wtoorop commented 4 years ago

Ack. getdns still tries to DNSSEC validate the name ANY combination which it cannot because there is no record for that name type combination. Notice that you do get answers when you dig with the +cd (i.e. checking disabled) option. I'm not sure whether we should consider this a bug. What do you think?

ghost commented 4 years ago

Thank you very much for your reply! I understand that DNSSEC is specifically trying to validate name ANY. Since ANY is no valid DNS record type, I would argue that it should validate every record type that is found (just as dig ANY yields records for all available record types).

+cd/+cdflag was not working for me and I am not sure if that is what is best: Using ANY as described above would still allow validation, +cd would disable validation.