[dns-operations] Spurious (?) DNSSEC SERVFAIL with some (?) versions of BIND for one domain?

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Thu Mar 11 09:39:28 UTC 2021

On 3/11/21 9:21 AM, Matthijs Mekking wrote:
>> which apparently has a DS at the apex of the child zone, which is
>> somewhere between 'useless' and 'wrong'.
> It is more wrong than useless: From RFC 4035:
>     All DS RRsets in a zone MUST be signed, and DS
>     RRsets MUST NOT appear at a zone's apex. 

I've also encountered DS in the middle of a zone -- i.e. on a name 
without NS, in this case also with some child names existing within the 
same zone.

I didn't find that it's really forbidden, but on the other hand I've had 
no motivation to fix Knot Resolver's forwarding+validation mode to 
tunnel through such an obstacle. That zone got fixed eventually, too.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210311/a7085378/attachment.html>

More information about the dns-operations mailing list