Paul Wouters <p...@nohats.ca> wrote: > > Because this is the parental NS RRset for the child, which the parent > does not sign.
Right. > The NSEC only covers the existance of the DS record, not of the glue > records. Not quite. A delegation NSEC record lists NS NSEC RRSIG and maybe DS, even though NS isn't signed. (You are right that glue records aren't in the NSEC chain, though.) > You really need to find the NSEC(3) record that proves the parent has > no DS record for the child zone, and really have to find and submit > the TLSA record and RRSIG. That way the logs can tell who signed the > DS and/or TLSA record. Yes. Should probably log the whole DS/DNSKEY/RRSIG chain. You don't need to log NSEC(3) unless you need to log a proof of nonexistence - maybe to prove lack of delegation points if there are intermediate labels? Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Fitzroy: Northerly veering northeasterly 4 or 5, increasing 5 to 7 in east. Rough or very rough. Drizzle. Moderate or good. _______________________________________________ dane mailing list dane@ietf.org https://www.ietf.org/mailman/listinfo/dane
