[dns-operations] DS-side NSEC query

Edward Lewis edward.lewis at icann.org
Tue Aug 9 16:20:42 UTC 2016

On 7/29/16, 06:34, "dns-operations on behalf of Peter van Dijk" <dns-operations-bounces at dns-oarc.net on behalf of peter.van.dijk at powerdns.com> wrote:

    Based on +nsid and version.bind, the delegation response comes from Knot 
    and NSD, while BIND serves the NSEC. If I had to choose, I would 
    consider the Knot/NSD behaviour correct, but at least two people I’ve 
    spoken to either disagree or feel that this is a sufficiently gray area 
    that either is fine.

Historically a name server would aggressively seek the most complete answer to a query.  Meaning, the server would answer from the deepest zone it could, which might lend credence to answering from below the zone cut.  But in this case, if the qtype is NSEC and the qname owns an SOA record, either NSEC is appropriate as they are both complete answers.  (With complete meaning not a referral or redirection.)

More information about the dns-operations mailing list