[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs
vladimir.cunat+ietf at nic.cz
Sun Feb 28 19:35:26 UTC 2021
On 2/28/21 3:24 AM, Paul Hoffman wrote:
> On Feb 27, 2021, at 5:32 PM, Mark Andrews<marka at isc.org> wrote:
>> It says that RRSIGs exist at that name.
> Could you say more? I don't understand the context here.
> For example, "dig @f.root-servers.net -4 nl rrsig" gives a reply with no Answer section.
Explicit QTYPE=RRSIG is a gray area, I believe. In some cases it could
be a DoS vector , and I don't know of a use case for such a query, so
it makes sense not to answer (in full). In your particular example, if
you ask for DS nl, you will get all RRSIGs for that name-type pair.
Overall, it's even explicitly standardized that RRSIGs do not form an
RRset; they're more like an appendage to the RRset they sign.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations