At Thu, 4 Jan 2018 08:12:26 +1100,
Mark Andrews <[email protected]> wrote:
> The reply also has to work for STD13 clients which already know
> about the child zone. The NODATA response is the correct one despite
> it requiring more work for a DNSSEC client.
Section 2.2.1.1 of RFC 3658 also explains that point:
[...] As these queries are only expected to originate
from recursive nameservers which are not DS-aware, the authoritative
nameserver MUST answer with:
RCODE: NOERROR
AA bit: set
Answer Section: Empty
Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)]
That is, it answers as if it is authoritative and the DS record does
not exist. DS-aware recursive nameservers will query the parent zone
at delegation points, so will not be affected by this.
--
JINMEI, Tatuya
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
