Testing for things like a successful resolution to _25._tcp.example.com. IN TLSA is something registries / registrars should be doing. If you deploy servers that are incapable of answering the query then that becomes potential grounds for removal of the delegation.
Whether you have or don't have a TLSA record is a entirely seperate matter. It is "can the server answer the question or not" that the parents need to be concerned with. www.example.com/AAAA, www.example.com/A, example.com/MX, example.com/A and example.com/AAAA should all be answerable and if there is a negative response that the SOA record if present is consistent with the delegation. A SOA for COM is not a valid SOA record with some exceptions. In message <d27b5a19.b72b1%steve.dej...@neustar.biz>, "DeJong, Steve" writes: > Greetings - > As of Nov. 22 Neustar UltraDNS has completed the rollout of the latest > resolver which addresses the NSEC3 authenticated denial of existence > issues. > > Thanks to Viktor for assisting in the testing and verification of the fix. > > -Steve > > > On 8/11/15, 10:20 PM, "DNSOP on behalf of Viktor Dukhovni" > <dnsop-boun...@ietf.org on behalf of ietf-d...@dukhovni.org> wrote: > > > * Outdated versions of PowerDNS, don't handle denial of > > existence correctly, the query domain's immediate parent > > also does not exist. In particular queries of the form: > > > > _25._tcp.example.com. IN TLSA ? > > > > fail to elicit proof that "_tcp" does not exist (which is > > typically the case). The response is then "bogus", and mail > > is delayed. > > > > This currently afflicts various Neustar.biz nameservers, in > > some cases appearing as nameservers for various customers. > > > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
