On Tue, Oct 23, 2012 at 6:36 AM, Stephane Bortzmeyer <bortzme...@nic.fr>wrote:
> On Tue, Oct 23, 2012 at 06:27:12AM -0700, > Casey Deccio <ca...@deccio.net> wrote > a message of 88 lines which said: > > > The issue here is that no delegation NS records exist for > > v1.pcextreme.nlin its parent zone, pcextreme.nl. Thus when any > > server (authoritative for both zones) is queried for > > v1.pcextreme.nl/DS, NXDOMAIN is returned because there are no > > records by that name in the parent (no DS or NS). > > But it should reply NOERROR,DATA=0, no NXDOMAIN. Indeed, > pcextreme.nl's name servers reply NXDOMAIN for DS queries but not for > other QTYPES. > > So, no bug in BIND and Unbound, only in the zone? > Yes. Prior to DNSSEC, it used to be that if all servers authoritative for a parent were also authoritative for the delegated child, then they could get away with not having any delegation records in the parent. With DNSSEC this omission causes these NXDOMAIN issues with validating resolvers when child is signed and parent has no DS. Casey
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
