[dns-operations] DNSSEC at ICANN: still no check?

Matthew Pounsett matt at conundrum.com
Tue Jan 21 15:55:17 UTC 2014


On Jan 21, 2014, at 09:34 , Casey Deccio <casey at deccio.net> wrote:

> That could be the case (the issue appears to be fixed now).  In the past when I've seen this the authoritative server returns NXDOMAIN status, rather than NOERROR, as the name (according the delegating parent zone, which answers for DS) does not exist.  In this case, the name does appear to exist, but with no record types.  I'm guessing that is because there is some "sibling glue" in the "red" zone for another delegation, which NS records include server names in "nic.red".  Interesting find - I hadn't seen this scenario before.

If the same server is authoritative for both zones you’ll still get an answer for your request (for nic.red), so no NXDOMAIN, but the cryptographic chain will be missing since the NSEC records in red indicate that nic.red doesn’t exist.





More information about the dns-operations mailing list