In message <[email protected]>, Ray Bellis writes: > On 26/10/2015 06:39, Paul Vixie wrote: > > sanity check, someone? > > = > > > i believe that in dnssec, an empty non-terminal has a proof that the = > > > name exists, and a proof that there are no RR's. thus, vastly = > > > different from the signaling for NXDOMAIN. > > RFC 4035 =A73.1.3.2 appears to say differently :( > > The subject of that section is "Including NSEC RRs: Name Error > Response", and it says: > > "Note that this form of response includes cases in which SNAME > corresponds to an empty non-terminal name within the zone (a name > that is not the owner name for any RRset but that is the parent name > of one or more RRsets)."
It's a heads up to say you need to be very careful here. The NSEC record provides both noexistance and potentially existance proofs for names in the range on the NSEC. It's not saying the ENT get Name Error. > Paul and I already exchange mail off-list - I think we're both equally > surprised at the above. > > Clarification from the authors of the rationale for this would be useful > here! > > Ray > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
