On 23. 07. 25 12:45, Philip Homburg wrote:
./DS is NOERROR NODATA. This is RFC described behaviour
Which part of which RFC? I, too, am not finding this, but you seem
sure it is in the RFCs.
In my experience, if a DS query arrives at an authoritative and the name
is in a zone served but not part of a delegation or below a delegation then
DS will be treated like any other type.
I'm not aware of any part of an RFC that requires the server to do anything
different in this case.
The funny thing is that because DS is a parent-side type, at a delegation
it is also a completely normal in-zone lookup that can result in either
an answer or a NODATA response.
That's besides the point. My initial question was explicitly about:
RFC 1034 5.3.3. Algorithm
RFC 4035 4.3. Determining Security Status of Data
I.e. resolver and validator.
At the moment 8.8.8.8, 1.1.1.1, BIND 9.21.10 and Knot Resolver running
DNS4EU give three different combinations of (RCODE, AD bit).
--
Petr Špaček
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
