On Jan 21, 2014, at 09:34 , Casey Deccio <[email protected]> wrote: > That could be the case (the issue appears to be fixed now). In the past when > I've seen this the authoritative server returns NXDOMAIN status, rather than > NOERROR, as the name (according the delegating parent zone, which answers for > DS) does not exist. In this case, the name does appear to exist, but with no > record types. I'm guessing that is because there is some "sibling glue" in > the "red" zone for another delegation, which NS records include server names > in "nic.red". Interesting find - I hadn't seen this scenario before.
If the same server is authoritative for both zones you’ll still get an answer for your request (for nic.red), so no NXDOMAIN, but the cryptographic chain will be missing since the NSEC records in red indicate that nic.red doesn’t exist. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
