[dns-operations] DS-side NSEC query

Peter Koch pk at denic.de
Fri Jul 29 16:30:58 UTC 2016

On Fri, Jul 29, 2016 at 05:00:34PM +0200, Peter van Dijk wrote:

> >algorithm 4.3.2 in RFC 1034 would suggest that authoritative data
> >takes precedence over a delegation.  Hindsight, admittedly.
> Going by that logic, an MX query should also not give out the 
> delegation. This is obviously not the way to go!

not really: the MX RR cannot legitimately exist at the delegation
point in the parent, NSEC (and DS, for that matter) can. It's a corner
case, after all. That said, how do the implementations deal with
the NSEC query, if the NSEC RR is absent

o erroneously (there is no right in wrong ...)
o because the zone is unsigned
o because the zone is signed using NSEC3

On Sat, Jul 30, 2016 at 01:09:10AM +1000, Mark Andrews wrote:

> Both sides of the cut are authoritative for NSEC.  NSEC is not like
> other records.
> foo.                    86400   IN      NSEC    foodnetwork. NS DS RRSIG NSEC
> foo.                  300     IN      NSEC    aerialproject.foo. NS SOA RRSIG NSEC DNSKEY

Of course they are - but 4.3.2 still makes sense, even if it predates NSEC.
For seasoned zone walkers getting the auth response from the parent
might also meet the 'principle of least surprise', but YMMV.


More information about the dns-operations mailing list