[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)

Mark Andrews Mark_Andrews at isc.org
Thu Jan 10 00:26:13 UTC 2008

> On 9-Jan-2008, at 18:22, Mark Andrews wrote:
> > 	The customer has agreed to supply a RFC compliant nameserver
> Oh, if only it was clear what "RFC compliant" means. We could  
> substitute "standards-compliant" and it's still not any clearer.

	Returning NXDOMAIN for AAAA queries where you return A
	records for A queries is clearly not standard/rfc compliant.

	Yes there are grey areas in standards.  However I believe
	we can come up the a clear list of checks that should be


	* returning a NS RRset that matches what is in the delegation
	* returning address records that match what is in glue or
	  a deeper referrals which then returns a matching address record.
	* returing a NODATA response if there isn't a A/AAAA glue record
	  for namesever after following any referrals.
	* not returning CNAME, DNAME or NXDOMAIN when checking glue.
	* returning the correct SOA record when returning a negative
	* returning the correct NS RRset in the authority section
	  if such a set is returned.
	* returning NODATA to a CNAME query at the apex.

> Joe
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list