On Oct 24 2013, I wrote: [...]
Part of the problem is that only one NSEC3 record is returned - the one covering the zone apex, which doesn't necessarily cover the name queried for. But validation seems to fail even in cases when the name is so covered.
Ah - Mark Andrews' post points out why that is. "*.xn--80asehdb" (for example) isn't covered by the sole NSEC3 returned, even if the queried name is. -- Chris Thompson University of Cambridge Computing Service, Email: [email protected] Roger Needham Building, 7 JJ Thomson Avenue, Phone: +44 1223 334715 Cambridge CB3 0RB, United Kingdom. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
