[dns-operations] NXDOMAIN vs NODATA for suffixes of existing name

Florian Weimer fw at deneb.enyo.de
Mon Apr 17 09:16:26 UTC 2006

* Paul Vixie:

> to me, b.example.net exists because that's what we decided for dnssec,

Post-RFC-4035, I assume?  Because RFC 4035 says, in section 3.1.32:

| Note that this form of response includes cases in which SNAME
| corresponds to an empty non-terminal name within the zone (a name
| that is not the owner name for any RRset but that is the parent name
| of one or more RRsets).

This also follows from the prohibition of NSEC generation for empty
non-terminals (section 2.3, "An NSEC record (and its associated RRSIG
RRset) MUST NOT be the only RRset at any particular owner name."), as
you would need such an NSEC RR for responding with NODATA.  This means
that the draft-ietf-dnsext-wcard-clarify (thanks Peter and Edward!) is
in conflict with DNSSEC (as a simple update of the DNSSEC spec is not

Ah, draft-ietf-dnsext-nsec3 handles this case differently, maching the

More information about the dns-operations mailing list