[dns-operations] NS answer inconsistency between implementations for delegated zone

Tony Finch dot at dotat.at
Fri Mar 16 17:22:16 UTC 2012

Lutz Donnerhacke <lutz at iks-jena.de> wrote:
> * Tony Finch wrote:
> > Sure. Zone cuts are very subtle :-) The basic principle is that the parent
> > zone is not authoritative for any data at or below the cut, except for the
> > DNSSEC records (DS + RRSIG, NSEC + RRSIG).
> Be careful: The parent zone is responsible for DS (+ RRSIG).
> NSEC (+ RRSIG) exists authoritivly on both sites of the zone cut.

You are right, I should have been clearer. Note that NSEC3(+RRSIG) does
not appear at the zone cut :-)

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Hebrides: Southwest veering northwest 5 or 6. Rough or very rough. Showers.

More information about the dns-operations mailing list