[dns-operations] NS answer inconsistency between implementations for delegated zone
Tony Finch
dot at dotat.at
Fri Mar 16 17:22:16 UTC 2012
Lutz Donnerhacke <lutz at iks-jena.de> wrote:
> * Tony Finch wrote:
> > Sure. Zone cuts are very subtle :-) The basic principle is that the parent
> > zone is not authoritative for any data at or below the cut, except for the
> > DNSSEC records (DS + RRSIG, NSEC + RRSIG).
>
> Be careful: The parent zone is responsible for DS (+ RRSIG).
> NSEC (+ RRSIG) exists authoritivly on both sites of the zone cut.
You are right, I should have been clearer. Note that NSEC3(+RRSIG) does
not appear at the zone cut :-)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Hebrides: Southwest veering northwest 5 or 6. Rough or very rough. Showers.
Good.
More information about the dns-operations
mailing list