[dns-operations] should recursors think there are only delegation data in tld name servers?

Paul Vixie paul at redbarn.org
Fri Mar 28 03:01:03 UTC 2014

Paul Wouters wrote:
> On Thu, 27 Mar 2014, Paul Vixie wrote:
>>> Those and the others you quoted are all glue records, not
>>> authoritative,
>>> and no RRSIG's over those records.
>> here's how i checked my work.
> I don't see how that checks your work?
>> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +trace 1s.de mx
>> ;; global options: +cmd
>> .                       15714   IN      NS      a.root-servers.net.
> [...]
>> ;; Received 228 bytes from in 429 ms
> How did google DNS get into this picture?

that's the resolv.conf for the vm i ran "dig +trace" on. as you can see,
this is how the root name server set is discovered.

> I do get an RRSIG for the mx of 1s.de, despite a lack of NS records.
> But you wrote:

did you not see the 1s.de MX example contained in the JSON? when i saw
the A RR's in my first example, i decided to check for a data type that
is never glue. so, yes, some of those records were glue. some were
authoritative, signed-in-the-TLD. i consider both to be acceptable.

More information about the dns-operations mailing list