sanity check, someone?
i believe that in dnssec, an empty non-terminal has a proof that the
name exists, and a proof that there are no RR's. thus, vastly different
from the signaling for NXDOMAIN.
Yes, it does. With NSEC3 it is an explicit proof. With NSEC you have to
read between the lines.
NSEC3: see RFC5155 sections 7.1 and B.2.1.
NSEC: if foo.example is an empty non-terminal, then there will exist an
NSEC record such as "echo.example NSEC alpha.foo.example ..." - the ENT's
name is part of the "next domain name".
-- Sam
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
