On Feb 7, 2019, at 7:44 AM, Petr Špaček <[email protected]> wrote: > When looking at it from resolver perspective, what is the resolver > supposed to do with query "zone. NS" if there is no authoritative NS set > in the zone? Return NOERROR+NODATA?
It should reply with no error and no data. But this is okay, because you never need to ask this question in order to resolve a name. If you are looking up an NS record with intent to use it, it’s going to be in the parent zone, where you are looking for a delegation. The real question is whether the NS record needs to be validated. If it does, then it needs to be signed, and so it needs to appear in the zone. But that’s what the DS record is for, right? :)
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
