Bob Halley Bob.Halley at
Thu Dec 12 20:49:54 UTC 2002

Paul Vixie <paul at> writes:

> i still think NOERROR/ANCOUNT=0 is the right answer.

To do this with DNSSEC would imply generating NXT and SIG NXT for the
otherwise empty nonterminal nodes when you signed the zone.

At least from a quick check, the DNSSEC spec seems to be silent on
whether such records should be created or not.

When we had bitstring labels, this synthesis would have been
especially icky and wasteful, because for a typical IPv6 reverse
address you would have had to synthesize at least 64 levels of
non-terminals that were empty except for NXT and SIG NXT.

To avoid the bitstring overhead, and for simplicity (Why have a node
which is forced into existence just to be an empty nonterminal?  It
isn't needed to make the protocol work), I chose the NXDOMAIN
interpretation in BIND 9.


More information about the bind-workers mailing list