Hi Tony, Yang On Tue, Jul 28, 2015 at 10:41:49PM +0100, Tony Finch wrote: > However the weirdness in the NSEC3 record is not what is upsetting BIND, > and it might be a bug. A noerror response with just NSEC3 and RRSIG(NSEC3) > in the authority section should (I think) be treated as a type 3 nodata > response (see RFC 2308). However BIND requires type 3 nodata responses to > have completely empty authority sections. BIND will only recognise type 1 > or type 2 nodata responses (with SOA records in the authority section) > from signed zones.
Mark pointed out on our internal bug ticket that RFC 2308 section 3 requires "no data" replies from signed zones to have an SOA RR in the authority section. Mukund
pgpGbmLx5vWnF.pgp
Description: PGP signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users