How to list all DNS records including DANE TLSA

Question

I would like to list all/any DNS records including the DANE TLSA.

With

dig mailbox.org ANY

I get all records including DNSSEC etc. but nothing about DANE. Why?

With

dig _443._tcp.mailbox.org. ANY

I get the DANE TLSA records.

I've read the question where someone wants to query all subdomains How can I list ALL DNS records? and am aware that this is only possible with a zone transfer.

But '_443._tcp.' isn't a real subdomain, is it? I thought it is just an SRV record. So how can I query ANYthing including DANE TLSA?

Answer 1

The command dig mailbox.org ANY asks for all records for the name mailbox.org..

The command dig _443._tcp.mailbox.org. ANY asks for all records for the name _443._tcp.mailbox.org..

mailbox.org. is not the same name as _443._tcp.mailbox.org..

Asking for all the records for one of them will not show any records for the other one. If it helps, you can think of (fully qualified) names in DNS as primary keys in a database (because that is in practice exactly what they are). If you ask the database for data for the key FOO it will not give you any data for the key FOOBAR (unless it is very badly broken). Exactly the same thing is happening here. You ask for one thing, and you do not get answers for another, different, thing.