Some RR types handled in a special (and erroneous) way when validating with DNSSEC?
This zone is DNSSEC-broken, there is a DS in the parent, but the authoritative servers do not send signatures.
Rightly so, Knot DNS Resolver, version 1.2.3 (running on a Turris Omnia) servfails:
root@turris:~# dig MX dns-lab.net
; <<>> DiG 9.9.8-P4 <<>> MX dns-lab.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10397
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;dns-lab.net. IN MX
;; Query time: 73 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 12 19:52:48 UTC 2017
;; MSG SIZE rcvd: 29
root@turris:~# dig +cd +dnssec MX dns-lab.net
; <<>> DiG 9.9.8-P4 <<>> +cd +dnssec MX dns-lab.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64639
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dns-lab.net. IN MX
;; AUTHORITY SECTION:
dns-lab.net. 512 IN SOA ns1.dns-lab.net. yeti.biigroup.cn. 2016113046 1800 900 604800 86400
dns-lab.net. 86312 IN NSEC bii.dns-lab.net. NS SOA RRSIG NSEC DNSKEY TYPE65534
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 12 19:54:19 UTC 2017
;; MSG SIZE rcvd: 168
Same thing if query type is AAAA or TXT.
But the SOA always work (it shouldn't):
root@turris:~# dig +dnssec SOA dns-lab.net
; <<>> DiG 9.9.8-P4 <<>> +dnssec SOA dns-lab.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55642
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dns-lab.net. IN SOA
;; ANSWER SECTION:
dns-lab.net. 600 IN SOA ns1.dns-lab.net. yeti.biigroup.cn. 2016113046 1800 900 604800 86400
;; Query time: 318 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 12 19:54:57 UTC 2017
;; MSG SIZE rcvd: 96
Worse, there is even the AD bit.
It seems it is not put in the cache: the TTL is always the same.
NS also works. It seems that the query succeed when there is a value for this type (it is not normal).