[dns-operations] signing a zone with NSEC3 records.

George Barwood george.barwood at blueyonder.co.uk
Sat Sep 12 07:56:44 UTC 2009

----- Original Message ----- 
From: "Mark Andrews" <marka at isc.org>

> And NSEC records are not include for signed/unsigned delegations
> with a ANY query with DO=0.  In all cases you should get a referral.
> Whether the referral has DNSSEC records or not depends on DO.  If
> DO is set then the NSEC zones response will be the same or smaller
> than the NSEC3 signed zone will be.

That's an interesting observation.

I don't see the basis for this in the standard, we have


" If  the DO bit in an initiating query is not set, the name server side
   MUST strip any authenticating DNSSEC RRs from the response but MUST
   NOT strip any DNSSEC RR types that the initiating query explicitly

which then comes down to what "explicitly requested" means. 
Rfc4035 doesn't answer this question, but 



" Security records that
   match an explicit SIG, KEY, NXT, or ANY query, or are part of the
   zone data for an AXFR or IXFR query, are included whether or not the
   DO bit was set."

which I regard as a bad idea ( since ANY is not really explicit ).

Where does it say that ANY behaves differently for referrals?


More information about the dns-operations mailing list