> On 22 Jul 2025, at 18:58, Petr Špaček <[email protected]> wrote: > > On 22. 07. 25 18:26, Wessels, Duane wrote: >>> On Jul 22, 2025, at 6:11 PM, Petr Špaček <[email protected]> wrote: >>> >>> Hi all. >>> >>> I wonder how to interpret '. DS'/'. DELEG' queries and welcome opinions! >>> ... >>> With strict interpretation of 'DS lives at parent' I would argue '. DS' >>> should result in SERVFAIL: No parent for . can be contacted. >>> ... >>> Needless to say implementations vary in their responses. >> You’re asking for clarity on what a recursive resolver should return in this >> case, and not what an authoritative server should return for an $ORIGIN/DS >> query, right? > > Yes please. I don't see ambiguity in definition for auths. Resolvers and > validators are giving me trouble.
You return the response from the parent zone unless the QNAME is . in which case you return the zone apex result. If the server is unaware of the new rules for the QTYPE it will return whichever it has accepted as being valid. DELEG and DS are types that are generally not queries for and if they are queried for they are done by software that knows how to request the response from the correct servers. For DNSSEC the server at the end of the forwarding chain needed to be DNSSEC aware so it could retrieve the correct DS. The same will be the case for DELEG. The intermediate servers also need to be DELEG/DS aware if they are validating. A recursive server doesn’t query for DELEG in normal operations. It learns of DELEG as a side effect of a referral so forwarders are generally not an issue. > -- > Petr Špaček > > -- > dd mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
