[dns-operations] Spurious (?) DNSSEC SERVFAIL with some (?) versions of BIND for one domain?
Vladimír Čunát
vladimir.cunat+ietf at nic.cz
Thu Mar 11 09:39:28 UTC 2021
On 3/11/21 9:21 AM, Matthijs Mekking wrote:
>> which apparently has a DS at the apex of the child zone, which is
>> somewhere between 'useless' and 'wrong'.
>
> It is more wrong than useless: From RFC 4035:
>
> All DS RRsets in a zone MUST be signed, and DS
> RRsets MUST NOT appear at a zone's apex.
I've also encountered DS in the middle of a zone -- i.e. on a name
without NS, in this case also with some child names existing within the
same zone.
I didn't find that it's really forbidden, but on the other hand I've had
no motivation to fix Knot Resolver's forwarding+validation mode to
tunnel through such an obstacle. That zone got fixed eventually, too.
--Vladimir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210311/a7085378/attachment.html>
More information about the dns-operations
mailing list