Hi, On 20-12-16 11:59, Stephane Bortzmeyer wrote: > One of my comments was not addressed. I would like, in section 10, see > some details about what exactly is implemented by Unbound and Google > Public DNS: > > * synthesis of NXDOMAIN from NSEC (obviously; that's the minimum) > * synthesis of NXDOMAIN from NSEC3 (if no opt-out) > * synthesis of NODATA from NSEC/NSEC3 > * synthesis of positive answers from wilcards+NSEC > * all of them?
NSEC reply synthesis is not (yet) implemented in Unbound. I do not know why it is mentioned in section 10. I know of the existence of a patch, but that one seems to have flaws and is incomplete. Unbound currently uses its negative cache to prove non-existence of DS records. Not for synthesizing replies (although it is on our road-map for the very near future). Regards, -- Ralph _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
