[bind10-dev] Authoritative Query Logic for DS

Kevin Tes xiejiagui at cnnic.cn
Wed Nov 2 07:48:56 UTC 2011 

If QTYPE is DS, search the available zones for the zone which is the
nearest ancestor to QNAME's parent. If such a zone is found,set the AA
flag:

1> If an RRset matching QTYPE is found, add it and it's RRSIG to the
answer section, then add the NS records for the enclosing zone to the
authority section[if any],and exit..

2> If such RRset is not found, if zone is secure and support NSEC, 
go to 2.1 ,if zone is secure and support NSEC3, go to 2.2,
else no data has been found. Add the SOA for the enclosing zone the
authority section of the reply,and exit..

 2.1. Add the SOA of the zone and it's RRSIG to the authority
section,and the NSSEC RR that covered the QNAME and it's RRSIG to the
authority section,and exit... 

 2.2. Add the SOA of the zone and it's RRSIG to the authority
section,and the NSSEC3 RR that covered the QNAME and it's RRSIG to the
authority section,and exit...




On Wed, 2011-11-02 at 13:07 +0800, 蒋超 wrote:
> i have confused with the situation that qtype is DS.
>  
> for example:  two zones servered by the authoritative server,
> "example.com" and "aa.example.com".  in zone "example.com", there are
> no records for "aa.example.com" and its children. as a result, there
> is no delegated ns rrs for "aa.example.com"  (because the zone of
> "aa.example.com" is already servered by the authoritative server, this
> configuration is incorrect). when a query with qname "aa.example.com"
> and qtype DS comes, which zone should be chosen. if the zone of
> "example.com" is chosen, NXDOMAIN will be returned. but if the zone
> "aa.example.com" is chosen, NOERROR will be returned.
>  
> another situation: two zones servered by the authoritative server,
> "example.com" and "aa.example.com". in zone "example.com", there
> are NS records for "aa.example.com" but no DS records. when a query
> with qname "aa.example.com" and qtype DS comes, which one of the
> following cases will be ok? 
> case1:  choose the zone "example.com", return the NS rrs of
> "aa.example.com." in authority section, clear AA flag and set opcode
> NOERROR.
> case2:  choose the zone "example.com", return the SOA rr of
> "example.com" in authority section, set AA flag and set opcode
> NOERROR.
> case3:  choose the zone "aa.example.com", return the SOA rr of
> "aa.example.com" in authority section, set AA flag and set opcode
> NOERROR.
>  
> which one should be ok and why?
>  
> Thanks
> Chao
> _______________________________________________
> bind10-dev mailing list
> bind10-dev at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind10-dev

More information about the bind10-dev mailing list