On Fri, 3 Oct 2014, Anders Kaseorg wrote: > > secure no DS means that the original unsigned answer should be > > accepted, except that it shouldn't. There's no way to distinguish > > between secure lack of DS because we've reached an unsigned branch of > > the tree, and secure lack of DS because we're not at a zone cut, > > except if we know where the zone cuts are, and we don't. > > Having just looked through RFC 5155 for clues: isn’t that the purpose of > the NS type bit in the NSEC3 record? In this example, DS university > would give an NSEC3 record with the NS bit clear. That signals that we > should go down a level and query DS campus. In this case we find a > signed DS there. But if we were to find an NSEC3 with the NS bit set, > then we’d know that we’ve really found an unsigned zone and can stop > going down.
Aha: and this is exactly the answer given at http://tools.ietf.org/html/rfc6840#section-4.4 . Anders _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
