On the dns-operations list there is a thread of interest. Someone as a set of name servers that all have a set up where the parent zone has no delegation to the child (no DS and no NS) but also the child zone is configured without DNSSEC records.
Looking at relevant text in DNSSEC Protocol Modifications [RFC 4035], I see this at the end of the intro to "Authenticating DNS Responses" [Section 5]: ... The absence of DNSSEC data in a response MUST NOT by itself be taken as an indication that no authentication information exists. A resolver SHOULD expect authentication information from signed zones. A resolver SHOULD believe that a zone is signed if the resolver has been configured with public key information for the zone, or if the zone's parent is signed and the delegation from the parent contains a DS RRset. In the case presented, when the validator, upon seeing no DNSSEC records in a query for the child's SOA, asks for the DS record for the child, the response is NOT "NoError, NoData" but "NXDOMAIN." I can see how sloppy code might take they two to mean that security "stops" - no DS - but the two answers are very different. For former means, security stops, the latter means, there ought to be nothing. The above text might benefit from noting that if a zone is said to not exist, there should be no data there whether or not a response has unsigned records for it. Or something like that - but I'm not convinced that this is errata or clarifications material. I would think common coder sense would apply. (This is similar to the comment I'd had on NXDOMAIN and data below it, similar but not the same. In this case, it's clear that the recursive server should not cache or otherwise believe/accept the data claimed to exist below the denied name.)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
