[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Sun Feb 28 19:35:26 UTC 2021

On 2/28/21 3:24 AM, Paul Hoffman wrote:
> On Feb 27, 2021, at 5:32 PM, Mark Andrews<marka at isc.org>  wrote:
>> It says that RRSIGs exist at that name.
> Could you say more? I don't understand the context here.
> For example, "dig @f.root-servers.net -4 nl rrsig" gives a reply with no Answer section.

Explicit QTYPE=RRSIG is a gray area, I believe.  In some cases it could 
be a DoS vector [1], and I don't know of a use case for such a query, so 
it makes sense not to answer (in full).  In your particular example, if 
you ask for DS nl, you will get all RRSIGs for that name-type pair.  
Overall, it's even explicitly standardized that RRSIGs do not form an 
RRset; they're more like an appendage to the RRset they sign.

[1] https://tools.ietf.org/html/rfc8482#section-7


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210228/ff13a8af/attachment.html>

More information about the dns-operations mailing list