DNS queries to ns[1-5].he.net - Type "ANY"

[snarked]

Queries for RR-type "ANY" seem to return SERVFAIL, while queries for the same label for specific RR-types return success (for those which exist).

If RR-type "ANY" queries won't be answered, isn't the appropriate response REFUSED, not SERVFAIL?

If someone is having problems with the DNS service, they are likely to test it by manually querying some records, and it is likely that at least some queries will be for any record for a label.  Returning SERVFAIL instead of REFUSED leads them in the wrong direction for diagnosing the problem.

I recognize that HE may need to refer this issue to its DNS software vendor.

PS:  Your web display of a zone doesn't seem to know that RR-types 50 and 51 are called NSEC3 and NSEC3PARAM, so as long as you have to deal with your vendor, ....

[broquea]

Was this sent to dnsadmin@he.net?

[snarked]

Not yet.  I wanted to verify the behavior here first - plus sending it to the dnsadmin mailbox does nothing to alert others of a possible problem or issue.

[lorenzoz]

I don't have any problem with ANY queries.
This is a DIG ANY to ns1.he.net: http://pastebin.com/Sws3sQcN

[broquea]

I don't have any problem with ANY queries.
This is a DIG ANY to ns1.he.net: http://pastebin.com/Sws3sQcN

Only slightly curious why you X'ed out the IPs, when someone can just rerun the query and get them :)

[patrickdk]

I always wonder why people bother doing that ever. It's not like an ip is private information, or a password.

It's public, and registered, and indexed.

[snarked]

Here's what I get - First, a query for "ANY" (for one of my own domains):

; <<>> DiG 9.7.1-P2 <<>> snarked.org any @ns1.he.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39379
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;snarked.org.                   IN      ANY

;; Query time: 12 msec
;; SERVER: 216.218.130.2#53(216.218.130.2)
;; WHEN: Sat Jul 17 22:20:03 2010
;; MSG SIZE  rcvd: 29

Next, a query for just the SOA:

; <<>> DiG 9.7.1-P2 <<>> snarked.org soa @ns1.he.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39818
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;snarked.org.                   IN      SOA

;; ANSWER SECTION:
snarked.org.            21600   IN      SOA     ns.snarked.org. hostmaster.snarked.org. 2010071600 43200 7200 2419200 10800

;; Query time: 12 msec
;; SERVER: 216.218.130.2#53(216.218.130.2)
;; WHEN: Sat Jul 17 22:21:04 2010
;; MSG SIZE  rcvd: 90

As demonstrated, the "ANY" query indicates server failure, while a query for a specific record type succeeds (any specific type - doesn't matter which).

The results are the same whether I query directly on my server (West Coast and as above) or from http://network-tools.com/nslook/Default.asp (near NYC).  As the zone is DNSSEC signed with NSEC3, could that be the problem?

[gshaver]

NSEC3 is causing the backend to throw an exception and bail on the request. 
They have added support for NSEC3 in their DNSSEC build, but it is not stable enough for production use.

Hopefully it won't be too much longer before we can start playing around with the dnssec stuff.

Gary

[snarked]

Well, I'm glad to know that I in fact discovered a problem. ;)  Since normal operations generally don't query for "ANY", I can live with this for the meantime (until it's fixed).

This also explains why my IPv6-HE-routed reverse zone works - I haven't signed it yet.