[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs
Vladimír Čunát
vladimir.cunat+ietf at nic.cz
Sun Feb 28 19:35:26 UTC 2021
On 2/28/21 3:24 AM, Paul Hoffman wrote:
> On Feb 27, 2021, at 5:32 PM, Mark Andrews<marka at isc.org> wrote:
>> It says that RRSIGs exist at that name.
> Could you say more? I don't understand the context here.
>
> For example, "dig @f.root-servers.net -4 nl rrsig" gives a reply with no Answer section.
Explicit QTYPE=RRSIG is a gray area, I believe. In some cases it could
be a DoS vector [1], and I don't know of a use case for such a query, so
it makes sense not to answer (in full). In your particular example, if
you ask for DS nl, you will get all RRSIGs for that name-type pair.
Overall, it's even explicitly standardized that RRSIGs do not form an
RRset; they're more like an appendage to the RRset they sign.
[1] https://tools.ietf.org/html/rfc8482#section-7
--Vladimir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210228/ff13a8af/attachment.html>
More information about the dns-operations
mailing list