[dns-operations] Spurious (?) DNSSEC SERVFAIL with some (?) versions of BIND for one domain?
vladimir.cunat+ietf at nic.cz
Thu Mar 11 09:39:28 UTC 2021
On 3/11/21 9:21 AM, Matthijs Mekking wrote:
>> which apparently has a DS at the apex of the child zone, which is
>> somewhere between 'useless' and 'wrong'.
> It is more wrong than useless: From RFC 4035:
> All DS RRsets in a zone MUST be signed, and DS
> RRsets MUST NOT appear at a zone's apex.
I've also encountered DS in the middle of a zone -- i.e. on a name
without NS, in this case also with some child names existing within the
I didn't find that it's really forbidden, but on the other hand I've had
no motivation to fix Knot Resolver's forwarding+validation mode to
tunnel through such an obstacle. That zone got fixed eventually, too.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations