[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3

Mark Andrews marka at isc.org
Wed Jan 17 07:13:39 UTC 2018

Also from RFC 5155

      Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
      the empty non-terminal is only derived from an insecure delegation
      covered by an Opt-Out NSEC3 RR.

The example ENTs presented are part of the unless.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list