[dns-operations] signing a zone with NSEC3 records.

George Barwood george.barwood at blueyonder.co.uk
Sat Sep 12 09:20:15 UTC 2009

----- Original Message ----- 
From: "Mark Andrews" <marka at isc.org>
To: "George Barwood" <george.barwood at blueyonder.co.uk>
Cc: "Florian Weimer" <fweimer at bfk.de>; <dns-operations at mail.dns-oarc.net>
Sent: Saturday, September 12, 2009 9:31 AM
Subject: Re: [dns-operations] signing a zone with NSEC3 records. 

> In message <3984B921A7844C53840D474B20C5027D at localhost>, "George Barwood" write
> s:
>> > And NSEC records are not include for signed/unsigned delegations
>> > with a ANY query with DO=0.  In all cases you should get a referral.
>> > Whether the referral has DNSSEC records or not depends on DO.  If
>> > DO is set then the NSEC zones response will be the same or smaller
>> > than the NSEC3 signed zone will be.
>> That's an interesting observation.
>> I don't see the basis for this in the standard, we have
>> http://tools.ietf.org/html/rfc4035#section-3.1
>> " If  the DO bit in an initiating query is not set, the name server side
>>    MUST strip any authenticating DNSSEC RRs from the response but MUST
>>    NOT strip any DNSSEC RR types that the initiating query explicitly
>>    requested."
> Which applies to all types of responses.  Answer, nodata, referral
> and name error.
> Apart from DS queries, all other query types are answered from the
> child zone.  The parent should be returning a referral for anything
> other than a DS query.

Ok, I partly see the logic, the parent zone is authoritative for the DS records, so it is special.
For everything else, a referral is appropriate, although, by-the-by, it seems that explicit
requests for parent NSEC/NSEC3 records are also special, because both the parent and child
are authoritative for that (IIRC), e.g.

dig nsec org @ns.iana.org

But I think you might think that ANY would return authoritative DS and NSEC records,
if present (at least when DO=1), along with the referral (and what about RRSIG?)  I don't see
any explicit guidance on this in the standard. It's probably not a good idea, but I think that
this should be made clearer, unless I have missed it.


More information about the dns-operations mailing list