[dns-operations] DS-side NSEC query
Edward Lewis
edward.lewis at icann.org
Tue Aug 9 16:20:42 UTC 2016
On 7/29/16, 06:34, "dns-operations on behalf of Peter van Dijk" <dns-operations-bounces at dns-oarc.net on behalf of peter.van.dijk at powerdns.com> wrote:
Based on +nsid and version.bind, the delegation response comes from Knot
and NSD, while BIND serves the NSEC. If I had to choose, I would
consider the Knot/NSD behaviour correct, but at least two people I’ve
spoken to either disagree or feel that this is a sufficiently gray area
that either is fine.
Opinions?
Historically a name server would aggressively seek the most complete answer to a query. Meaning, the server would answer from the deepest zone it could, which might lend credence to answering from below the zone cut. But in this case, if the qtype is NSEC and the qname owns an SOA record, either NSEC is appropriate as they are both complete answers. (With complete meaning not a referral or redirection.)
More information about the dns-operations
mailing list