* Tony Finch: > What does 2 return to 3? It can't send a signed NSEC because DO=0.
ANY is special, you can get NSEC and RRSIG in responces with DO=0 (some implementations do that). With suitably aligned TTLs, I suppose you can even end up with just a NSEC/RRSIG RRset pair. NSEC3 is different because of the QNAME mismatch. There, the problem you describe actually exists, I think. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
