[dns-operations] DS-side NSEC query

Mark Andrews marka at isc.org
Fri Jul 29 20:38:40 UTC 2016

In message <20160729163058.GA21165 at x28.adm.denic.de>, Peter Koch writes:
> On Fri, Jul 29, 2016 at 05:00:34PM +0200, Peter van Dijk wrote:
> > >algorithm 4.3.2 in RFC 1034 would suggest that authoritative data
> > >takes precedence over a delegation.  Hindsight, admittedly.
> > 
> > Going by that logic, an MX query should also not give out the 
> > delegation. This is obviously not the way to go!
> not really: the MX RR cannot legitimately exist at the delegation
> point in the parent, NSEC (and DS, for that matter) can. It's a corner
> case, after all. That said, how do the implementations deal with
> the NSEC query, if the NSEC RR is absent
> o erroneously (there is no right in wrong ...)
> o because the zone is unsigned
> o because the zone is signed using NSEC3
> On Sat, Jul 30, 2016 at 01:09:10AM +1000, Mark Andrews wrote:
> > Both sides of the cut are authoritative for NSEC.  NSEC is not like
> > other records.
> >
> > foo.                    86400   IN      NSEC    foodnetwork. NS DS RRSIG NSEC
> > foo.                  300     IN      NSEC    aerialproject.foo. NS SOA RRSIG NSEC DNSKEY
> Of course they are - but 4.3.2 still makes sense, even if it predates NSEC.
> For seasoned zone walkers getting the auth response from the parent
> might also meet the 'principle of least surprise', but YMMV.

And you can make a case for both 3a and 3b.  The delegating NS
records are not authoritative.  The NSEC records are authoritative.
KEY is also another type which exists authoritatively both sides
of a delegation as does NXT which NSEC replaced and bothe RRSIG and
SIG.  NXT and SIG should be virtually non-existent but KEY still
still exists.

> -Peter
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list