[dns-operations] DNSSEC at ICANN: still no check?

Casey Deccio casey at deccio.net
Tue Jan 21 16:18:43 UTC 2014


On Tue, Jan 21, 2014 at 10:55 AM, Matthew Pounsett <matt at conundrum.com>wrote:

> If the same server is authoritative for both zones you’ll still get an
> answer for your request (for nic.red), so no NXDOMAIN, but the
> cryptographic chain will be missing since the NSEC records in red indicate
> that nic.red doesn’t exist.
>
>
In this case of DS query, you won't receive an answer (i.e., record(s) in
the "answer" section) because no DS records exist.  If there is no
delegation to the child zone in the parent, then the parent will either
answer NXDOMAIN or NOERROR with NSEC(3) records having no NS bit set.
Either case is problematic, but I believe the outcome depends on the
existence of sibling glue in the parent zone.

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140121/54eb9935/attachment.html>


More information about the dns-operations mailing list