[dns-operations] signing a zone with NSEC3 records.
george.barwood at blueyonder.co.uk
Sat Sep 12 09:20:15 UTC 2009
----- Original Message -----
From: "Mark Andrews" <marka at isc.org>
To: "George Barwood" <george.barwood at blueyonder.co.uk>
Cc: "Florian Weimer" <fweimer at bfk.de>; <dns-operations at mail.dns-oarc.net>
Sent: Saturday, September 12, 2009 9:31 AM
Subject: Re: [dns-operations] signing a zone with NSEC3 records.
> In message <3984B921A7844C53840D474B20C5027D at localhost>, "George Barwood" write
>> > And NSEC records are not include for signed/unsigned delegations
>> > with a ANY query with DO=0. In all cases you should get a referral.
>> > Whether the referral has DNSSEC records or not depends on DO. If
>> > DO is set then the NSEC zones response will be the same or smaller
>> > than the NSEC3 signed zone will be.
>> That's an interesting observation.
>> I don't see the basis for this in the standard, we have
>> " If the DO bit in an initiating query is not set, the name server side
>> MUST strip any authenticating DNSSEC RRs from the response but MUST
>> NOT strip any DNSSEC RR types that the initiating query explicitly
> Which applies to all types of responses. Answer, nodata, referral
> and name error.
> Apart from DS queries, all other query types are answered from the
> child zone. The parent should be returning a referral for anything
> other than a DS query.
Ok, I partly see the logic, the parent zone is authoritative for the DS records, so it is special.
For everything else, a referral is appropriate, although, by-the-by, it seems that explicit
requests for parent NSEC/NSEC3 records are also special, because both the parent and child
are authoritative for that (IIRC), e.g.
dig nsec org @ns.iana.org
But I think you might think that ANY would return authoritative DS and NSEC records,
if present (at least when DO=1), along with the referral (and what about RRSIG?) I don't see
any explicit guidance on this in the standard. It's probably not a good idea, but I think that
this should be made clearer, unless I have missed it.
More information about the dns-operations