[dns-operations] IANA testbed problem
eoster at cs.ucla.edu
Thu Apr 8 15:52:17 UTC 2010
On Apr 8, 2010, at 8:40 AM, George Barwood wrote:
> The IANA testbed ( https://ns.iana.org/dnssec/status.html ) seems to
> respond incorrectly to queries for DS iana.org
> It should act as a (test) signed root, with one of the root servers
> ns.iana.org. 3600 IN A 188.8.131.52
> The response to
>> dig ds iana.org @184.108.40.206
> should ( I think) be a referral to the org servers, since the DS
> RRset is served by the parent zone.
> However, the actual response is an authoritative NoData response,
> iana.org. 3600 IN SOA dns1.icann.org.
> i.e. it is coming from the iana.org zone rather than the root zone.
> Am I being stupid, or is this a bug?
afaict, you seem to be right:
2.4. Including DS RRs in a Zone
DS RRsets MUST NOT appear at a zone's apex
As for the referral:
220.127.116.11. Responding to Queries for DS RRs
the name server MUST return an authoritative "no data" response
showing that the DS RRset does not exist in the child zone's apex.
> It can lead to authentication errors if the org zone has not yet
> been discovered
> by the resolver, e.g. if the first query is for ns.iana.org
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 194 bytes
Desc: This is a digitally signed message part
More information about the dns-operations