On 07. 02. 19 13:52, Ted Lemon wrote: > On Feb 7, 2019, at 7:44 AM, Petr Špaček <[email protected] > <mailto:[email protected]>> wrote: >> When looking at it from resolver perspective, what is the resolver >> supposed to do with query "zone. NS" if there is no authoritative NS set >> in the zone? Return NOERROR+NODATA? > > It should reply with no error and no data. But this is okay, because > you never need to ask this question in order to resolve a name. If you > are looking up an NS record with intent to use it, it’s going to be in > the parent zone, where you are looking for a delegation.
I feel something bad will happen if parent and child zone is on the same auth server and resolver is using query name minimization... (This configuration *does* exist in wild as we know from debugging Knot Resolver - we do query name minimization by default.) My gut feeling is that it should be mandatory but I would like to hear from other implementers what assumptions they have in code. Petr Špaček @ CZ.NIC > The real question is whether the NS record needs to be validated. If > it does, then it needs to be signed, and so it needs to appear in the > zone. But that’s what the DS record is for, right? :) _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
