On 09/12/2021 18.16, Mats Dufberg wrote:
The wildcard proof involves an opt-out NSEC3 record in this case. That means a delegation might exist instead of the wildcard expansion, but that can't be (dis)proven.If you query for something that matches that wildcard, e.g. "x.lindforslaw.se A", then AD is not set, but it is not SERVFAIL.
--Vladimir | knot-resolver.cz
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
