[dns-operations] DNS zone without an SOA or NS records

Bill Owens owens at nysernet.org
Wed Jul 20 20:05:18 UTC 2011

On Wed, Jul 20, 2011 at 03:29:41PM -0400, Paul Wouters wrote:
> On Wed, 20 Jul 2011, Chuck Anderson wrote:
> >More importantly, what are the ramifications of not having any SOA or
> >NS records in the zone?
> It breaks, and some clients wont be able to reach your service.

Hmm. A twist on this question: what are the ramifications of having an invalid DNSSEC signature over the SOA of a signed zone? I have found a couple of cases where some tool or other is signing the SOA but breaking the signature by changing the serial number after the signature is attached. Other than BIND logging some complaints (on my validating resolver) there doesn't seem to be any impact. And that's a very good thing since neither operator has fixed their problem yet ;)


More information about the dns-operations mailing list