Mark_Andrews at Mark_Andrews at
Fri Dec 13 01:30:36 UTC 2002

> At 17:08 2002-12-12, Mark_Andrews at wrote:
> >         Well I still think there is DNSSEC is wrong on this and the
> >         rcode should be NOERROR.  We should use DS as a opportunity to
> >         fix this.
> Not needed we are in the process of re documenting DNSSEC and
> this should be covered there. I have forwarded this thread to the
> editors to figure out if this is a simple clarify or requires
> action. Feel free to bring this issue up on namedroppers and
> if we have a clear consensus that Bind-9 is wrong then DNSSEC-bis
> can reflect that.

	I was meaning that any change in code should be rolled out
	along with the DS rollout.  I didn't mean that this should be
	part of the DS spec.

> >         It is possible by looking at the NXT record alone to determine
> >         if the query name is actually for a empty node.
> Exactly, the non terminal node exists in the sense it terminates a wild
> card but as there is no data a the node no NXT is needed for it.

	Given these two nodes that are adjacent when the zone is sorted
	in DNSSEC (flat) order:

	Queries against: would return NOERROR would return NXDOMAIN
	In both cases the NXT record would be: NXT ... NXDOMAIN is a error NOERROR is a error


>          Olafur
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at

More information about the bind-workers mailing list