[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Wed Nov 18 07:28:13 UTC 2020

On 11/18/20 1:36 AM, Phil Pennock wrote:
> Double-check: in such a scenario, if the request is for the recursive to
> validate DNSSEC and this zone is not opt-out, then the recursive would
> HAVE to get the data from the child, because the parent won't have RRSIG
> records for the glue NS, right?
> [...]

I believe the requirements are stronger and a server may never put
parent-side data into ANSWER section.  Validation can help in the sense
that if it succeeds, it doesn't matter where the data came from.

The best reference is probably rfc2181 5.4.1 again:

>    Unauthenticated RRs received and cached from the least trustworthy of
>    those groupings, that is data from the additional data section, and
>    data from the authority section of a non-authoritative answer, should
>    not be cached in such a way that they would ever be returned as
>    answers to a received query.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20201118/86a5e7d3/attachment.html>

More information about the dns-operations mailing list