On Mon, Jan 20, 2014 at 4:11 PM, Matthew Pounsett <[email protected]>wrote:
> > On Jan 20, 2014, at 11:37 , 🔒 Roy Arends <[email protected]> wrote: > > > The problem is indeed the absence of type NS in the type bit maps, as > you (and Peter van > > Dijk) showed in your previous mail. > > It’s hard to see from outside since its all the same NS set, but I suspect > red. and nic.red. are separate zones, but that there is no delegation from > red. to nic.red. I’ve seen that mistake before. With the same NS set it > wouldn’t appear as a problem prior to signing. > > That could be the case (the issue appears to be fixed now). In the past when I've seen this the authoritative server returns NXDOMAIN status, rather than NOERROR, as the name (according the delegating parent zone, which answers for DS) does not exist. In this case, the name does appear to exist, but with no record types. I'm guessing that is because there is some "sibling glue" in the "red" zone for another delegation, which NS records include server names in "nic.red". Interesting find - I hadn't seen this scenario before. Casey
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
