Re: [dns-operations] NS answer inconsistency between implementations for delegated zone

Fri, 16 Mar 2012 10:17:04 -0700 

* Tony Finch wrote:
> Sure. Zone cuts are very subtle :-) The basic principle is that the parent
> zone is not authoritative for any data at or below the cut, except for the
> DNSSEC records (DS + RRSIG, NSEC + RRSIG).

Be careful: The parent zone is responsible for DS (+ RRSIG).
NSEC (+ RRSIG) exists authoritivly on both sites of the zone cut.

For example quering for an insecure delegation shows both kinds of NSEC.

;; AUTHORITY SECTION:

; non-dnssec claim of nonexistance
com.br.                 SOA     a.dns.br. hostmaster.registro.br. (
                                2012031666 ; serial
                                1800       ; refresh (30 minutes)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                900        ; minimum (15 minutes)
                                )
com.br.                 RRSIG   SOA 7 2 172800 20120323163000 (
                                20120316163000 7461 com.br.
                                HRKmhQCUx2P28l0y5EmeIxtYi1+uJeI0qQjYPCZBgpEV
                                z9Wk9oQn0X/KHqCQ4X3JdRzCJYuC7lcY4hWBLqtQLHps
                                K8nsgsW++BpkiTjjw/3yoBGsr2snkw67b4bKM3hRvJVq
                                GlU54/c2WoL+iKlkKuy5R9tVk8iyeDKl4j6zy8M= )

; proof of nonexistance of the DS entry (parent side of the delegation)
20e6o8ev0ngfj3nq9c84pq3cd98ltuna.com.br. NSEC3 1 1 10 B6B56D69FD3D517B6F1F (
                                20EO548SBIDT8BV27T05E8I792PTAUCE
                                NS DS RRSIG )
20e6o8ev0ngfj3nq9c84pq3cd98ltuna.com.br. RRSIG NSEC3 7 3 900 20120323100000 (
                                20120316100000 7461 com.br.
                                N8rihTxtzTh9cw1AqgvvxYCBIRYdbxHuE7NP3zIDmTDM
                                6aQQTHmnMcbNu62eWjk+SNDigMaTP5ZEb/DWixUMRzkX
                                3Gwc8sChVGKFtiQq1Oxz9YVHSOFEwGfXFdnj1CAAkjKb
                                Lx+D4XwPGsH5VaTxcxmzfKjUl429GpNbZTgX4JY= )

; proof of nonexistance of the * entry (child side of com.br)
a3p275h0heofpluvkn8u05u4m31lpesp.com.br. NSEC3 1 1 10 B6B56D69FD3D517B6F1F (
                                A3P9CUSOD0Q7LR0QJKLQV4CNCCL8P3N8
                                NS SOA RRSIG DNSKEY NSEC3PARAM )
a3p275h0heofpluvkn8u05u4m31lpesp.com.br. RRSIG NSEC3 7 3 900 20120323100000 (
                                20120316100000 7461 com.br.
                                FUYjLH8X/yGE2VaZMGd7wmWSDuMnb4mUeXEtkgzyAIuH
                                SRtBan9PhusnGEpSndwFg2iUd9xxrDuwcbb/7csJOnou
                                zjvYLZkFA5KSfY0tLzHfIb0xNhp3SxIi2s1xT1vVDOts
                                OpilNgcSJH69791NpArZJsmlCfSh4LRvC8G8l70= )
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Reply via email to