NSEC3 records not available through a BIND resolver <= 9.5?

[Evan Hunt]

> BIND <=9.5 doesn't know that it's supposed to pass them in a NXDOMAIN
> response.

Correct, and whoops.  We should have backported at least that much
knowledge of NSEC3.

> That said, I thought it would be possible to explicitely ask for TYPE50.
> But that seems not to work, either:

IIRC, RFC 5155 says that authoritative servers must not answer direct
queries for NSEC3.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.