[dns-operations] Possibly-incorrect NSEC responses from many RSOs

Tony Finch dot at dotat.at
Mon Mar 1 17:11:32 UTC 2021


Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> The RFC 4035 language is sound for NSEC and DNSKEY, but (and this is a
> related side topic), I rather think that the specification should have
> said that queries for "RRSIG" for an extant name should return a single
> RRSIG of their choice, rather than treat RRSIG records as a normal
> RRSet.

There's some relatively feeble verbiage about this in RFC 8482 (minimal
responses to ANY) - https://tools.ietf.org/html/rfc8482#page-8

BIND does what you suggest if you turn on the minimal-any option.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
Humber, Thames, Dover: East or northeast 3 or 4, occasionally 5 at first.
Slight, occasionally moderate at first in Dover, becoming smooth or slight
later. Fog patches in Dover, fog banks elsewhere. Moderate to very poor,
occasionally good in Dover.



More information about the dns-operations mailing list