[dns-operations] signing a zone with NSEC3 records.

Mark Andrews marka at isc.org
Sat Sep 12 08:31:18 UTC 2009

In message <3984B921A7844C53840D474B20C5027D at localhost>, "George Barwood" write
> > And NSEC records are not include for signed/unsigned delegations
> > with a ANY query with DO=0.  In all cases you should get a referral.
> > Whether the referral has DNSSEC records or not depends on DO.  If
> > DO is set then the NSEC zones response will be the same or smaller
> > than the NSEC3 signed zone will be.
> That's an interesting observation.
> I don't see the basis for this in the standard, we have
> http://tools.ietf.org/html/rfc4035#section-3.1
> " If  the DO bit in an initiating query is not set, the name server side
>    MUST strip any authenticating DNSSEC RRs from the response but MUST
>    NOT strip any DNSSEC RR types that the initiating query explicitly
>    requested."

Which applies to all types of responses.  Answer, nodata, referral
and name error.

Apart from DS queries, all other query types are answered from the
child zone.  The parent should be returning a referral for anything
other than a DS query.

> which then comes down to what "explicitly requested" means. 
> RfC4035 doesn't answer this question, but 
> http://tools.ietf.org/html/rfc3225
> says
> " Security records that
>    match an explicit SIG, KEY, NXT, or ANY query, or are part of the
>    zone data for an AXFR or IXFR query, are included whether or not the
>    DO bit was set."
> which I regard as a bad idea ( since ANY is not really explicit ).
> Where does it say that ANY behaves differently for referrals?

It doesn't.  Substutite A in my description above and it still holds


> George

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list