On Fri, 26 Oct 2012, Peter van Dijk wrote:
nxd IN CNAME nxdomain.example.com.
PowerDNS currently does not generate this NSEC3 but this will be fixed shortly.
You would return an NSEC3 record for a record that actually
exists? That would be a very inconsistent nsec/nsec3 chain.
How would offline signers deal with this? Pregenerate nsec records
for data that _is_ in the zone?
It would also create a really odd behaviour difference between CNAMEs
pointing to non-existing in-zone, versus non-existint out-of-zone
destinations.
So my feeling, without having read the RFCs you quote, would be to say
that bind and nsd are correct in their behaviour, and that this might
be (or shoudl be) an errata to the RFCs.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
