[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)
Mark_Andrews at isc.org
Thu Jan 10 00:26:13 UTC 2008
> On 9-Jan-2008, at 18:22, Mark Andrews wrote:
> > The customer has agreed to supply a RFC compliant nameserver
> Oh, if only it was clear what "RFC compliant" means. We could
> substitute "standards-compliant" and it's still not any clearer.
Returning NXDOMAIN for AAAA queries where you return A
records for A queries is clearly not standard/rfc compliant.
Yes there are grey areas in standards. However I believe
we can come up the a clear list of checks that should be
* returning a NS RRset that matches what is in the delegation
* returning address records that match what is in glue or
a deeper referrals which then returns a matching address record.
* returing a NODATA response if there isn't a A/AAAA glue record
for namesever after following any referrals.
* not returning CNAME, DNAME or NXDOMAIN when checking glue.
* returning the correct SOA record when returning a negative
* returning the correct NS RRset in the authority section
if such a set is returned.
* returning NODATA to a CNAME query at the apex.
> dns-operations mailing list
> dns-operations at lists.oarci.net
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations