DS queries on parents vs. "correct behaviour" in answering

Peter Janssen peter.janssen at eurid.eu
Sat Dec 4 20:53:34 UTC 2010

When a validating resolver queries the parent of a zone for the DS
and the (child) zone is NOT signed,  the response contains no answer
but it does contain NSEC (NSEC3) record(s) in the authority section
together with corresponding RRSIG records (parent zone is signed).
Would it be considered ok, harmfull, not allowed, (any other word)
to include in that answer the NS RRSET for the child zone
(obviously without any RRSIG)?

Against RFC? Not specified?
Would it break resolvers?  Any or all implementations?

What do you think?



Register your .eu domain name and win an iPod touch this X-Mas

More information about the bind-users mailing list