[dns-operations] DNS zone without an SOA or NS records
Mark Andrews
marka at isc.org
Wed Jul 20 22:07:58 UTC 2011
In message <20110720200518.GA29253 at nysernet.org>, Bill Owens writes:
> On Wed, Jul 20, 2011 at 03:29:41PM -0400, Paul Wouters wrote:
> > On Wed, 20 Jul 2011, Chuck Anderson wrote:
> > >More importantly, what are the ramifications of not having any SOA or
> > >NS records in the zone?
> >
> > It breaks, and some clients wont be able to reach your service.
>
> Hmm. A twist on this question: what are the ramifications of having an invali
> d DNSSEC signature over the SOA of a signed zone? I have found a couple of ca
> ses where some tool or other is signing the SOA but breaking the signature by
> changing the serial number after the signature is attached. Other than BIND
> logging some complaints (on my validating resolver) there doesn't seem to be
> any impact. And that's a very good thing since neither operator has fixed the
> ir problem yet ;)
It depends if the client distingishes SERVFAIL from NODATA/NXDOMAIN or not.
> Bill.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list