On Fri, Jan 5, 2018 at 10:27 AM, 神明達哉 <[email protected]> wrote:
> At Thu, 4 Jan 2018 08:12:26 +1100, > Mark Andrews <[email protected]> wrote: > > > The reply also has to work for STD13 clients which already know > > about the child zone. The NODATA response is the correct one despite > > it requiring more work for a DNSSEC client. > > Section 2.2.1.1 of RFC 3658 also explains that point: > > [...] As these queries are only expected to originate > from recursive nameservers which are not DS-aware, the authoritative > nameserver MUST answer with: > > RCODE: NOERROR > AA bit: set > Answer Section: Empty > Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)] > > That is, it answers as if it is authoritative and the DS record does > not exist. DS-aware recursive nameservers will query the parent zone > at delegation points, so will not be affected by this. > > I hate having my own RFC thrown at me, but it may or may not apply as there is another corner case that I/WG did not consider, what if the NameServer is authoritative for a zone above the parent. In this case it has to select does it answer from the closest zone that can answer DS record or from the zone it self. In the spirit of being helpful to recursive resolvers the right answer IMHO is the referral from the zone above the query name. Olafur > -- > JINMEI, Tatuya > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
