On Tue, Jan 21, 2014 at 10:55 AM, Matthew Pounsett <[email protected]>wrote:
> If the same server is authoritative for both zones you’ll still get an > answer for your request (for nic.red), so no NXDOMAIN, but the > cryptographic chain will be missing since the NSEC records in red indicate > that nic.red doesn’t exist. > > In this case of DS query, you won't receive an answer (i.e., record(s) in the "answer" section) because no DS records exist. If there is no delegation to the child zone in the parent, then the parent will either answer NXDOMAIN or NOERROR with NSEC(3) records having no NS bit set. Either case is problematic, but I believe the outcome depends on the existence of sibling glue in the parent zone. Casey
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
