[dns-operations] It's begun...

Chris Thompson cet1 at cam.ac.uk
Thu Oct 24 14:39:10 UTC 2013

On Oct 24 2013, I wrote:

>Part of the problem is that only one NSEC3 record is returned - the
>one covering the zone apex, which doesn't necessarily cover the
>name queried for. But validation seems to fail even in cases when
>the name is so covered.

Ah - Mark Andrews' post points out why that is. "*.xn--80asehdb"
(for example) isn't covered by the sole NSEC3 returned, even if
the queried name is.

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    Roger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715       Cambridge CB3 0RB, United Kingdom.

More information about the dns-operations mailing list