[dns-operations] comcast.net DNSSEC validation issues

Mark Andrews marka at isc.org
Thu Jun 22 21:35:48 UTC 2017

In message <D57151D0.B6508%Mark_Feldman at cable.comcast.com>, "Feldman, Mark" writes:
> I have to admit to reading the qname starting at the haughtington label
> and ignoring the trash to the left.  My bad.  Your and Rob's follow-up
> emails on and off list clarified this.
> Agreed that there are many subtleties.  Would a non-DNSSEC-aware-resolver,
> being asked for DS by a client, possibly accept responses from either the
> child or parent depending on whether the NS set for the child was already
> cached?  Not that this is germane to the question at hand since I think
> we're talking about DNSSEC-aware systems throughout...

If it is asking the parent server it will get the DS answer from
the parent and accept it.  If it is asking the servers for the child
zone it will accept it.  In both cases it is getting a DS response
from the zone it is expecting to get a DS response from or to get
a referral to deeper in the heirachy.  The one complicated answer
is if the parent and child servers are the same.  In that case the
SOA in the authority section will be from the parent in the negative


>   Mark
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list