Hi List (& Chris & Tony),
What *does* matter is that the NSEC3 "proves" that there are no NS
records as well (as no DS ones) for newsletter.postbank.de (despite
the fact that the NS records are included in the referral). Note the
absence of opt-out in the NSEC3.
Thanks for the replies - and noticing the missing 'NS'!
From my rather brain-busting afternoon reading, I believe this
situation is covered by section 4.4 of RFC 6840, which requires a
validator to ensure the NS type bit is set for an insecure delegation's
NSEC(3) (or that it's covered by opt-out, but as Chris pointed out, that
doesn't seem to be the case here).
I've left feedback for the dnsviz maintainer in the hopes that this case
can be picked up in future.
Graham
--
Graham Clinch
Systems Programmer,
Lancaster University
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
