How to list all DNS records including DANE TLSA

Question

I would like to list all/any DNS records including the DANE TLSA.

With

dig mailbox.org ANY

I get all records including DNSSEC etc. but nothing about DANE. Why?

With

dig _443._tcp.mailbox.org. ANY

I get the DANE TLSA records.

I've read the question where someone wants to query all subdomains How can I list ALL DNS records? and am aware that this is only possible with a zone transfer.

But '_443._tcp.' isn't a real subdomain, is it? I thought it is just an SRV record. So how can I query ANYthing including DANE TLSA?

Answer 1

The command dig mailbox.org ANY asks for all records for the name mailbox.org..

The command dig _443._tcp.mailbox.org. ANY asks for all records for the name _443._tcp.mailbox.org..

mailbox.org. is not the same name as _443._tcp.mailbox.org..

Asking for all the records for one of them will not show any records for the other one. If it helps, you can think of (fully qualified) names in DNS as primary keys in a database (because that is in practice exactly what they are). If you ask the database for data for the key FOO it will not give you any data for the key FOOBAR (unless it is very badly broken). Exactly the same thing is happening here. You ask for one thing, and you do not get answers for another, different, thing.

Answer 2

You'd find the answer in Section 3 of RFC 6698:

TLSA resource records are stored at a prefixed DNS domain name. The prefix is prepared in the following manner:

1. The decimal representation of the port number on which a TLS-based service is assumed to exist is prepended with an underscore character ("_") to become the left-most label in the prepared domain name. This number has no leading zeros.
2. The protocol name of the transport on which a TLS-based service is assumed to exist is prepended with an underscore character ("_") to become the second left-most label in the prepared domain name. The transport names defined for this protocol are "tcp", "udp", and "sctp".
3. The base domain name is appended to the result of step 2 to complete the prepared domain name. The base domain name is the fully qualified DNS domain name [RFC1035] of the TLS server, with the additional restriction that every label MUST meet the rules of [RFC0952]. The latter restriction means that, if the query is for an internationalized domain name, it MUST use the A-label form as defined in [RFC5890].

Basically since you can have different "TLS-Based service" (e.g., DTLS) on different ports and this data is not included in the TLSA record set, the naming convention is there to find the correct information for the desired protocol/port combination.