[dns-operations] DNS zone without an SOA or NS records

Mark Andrews marka at isc.org
Wed Jul 20 22:07:58 UTC 2011

In message <20110720200518.GA29253 at nysernet.org>, Bill Owens writes:
> On Wed, Jul 20, 2011 at 03:29:41PM -0400, Paul Wouters wrote:
> > On Wed, 20 Jul 2011, Chuck Anderson wrote:
> > >More importantly, what are the ramifications of not having any SOA or
> > >NS records in the zone?
> > 
> > It breaks, and some clients wont be able to reach your service.
> Hmm. A twist on this question: what are the ramifications of having an invali
> d DNSSEC signature over the SOA of a signed zone? I have found a couple of ca
> ses where some tool or other is signing the SOA but breaking the signature by
>  changing the serial number after the signature is attached. Other than BIND 
> logging some complaints (on my validating resolver) there doesn't seem to be 
> any impact. And that's a very good thing since neither operator has fixed the
> ir problem yet ;)
It depends if the client distingishes SERVFAIL from NODATA/NXDOMAIN or not.

> Bill.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list