On Fri, Aug 24, 2018 at 10:26 AM Paul Hoffman <paul.hoff...@icann.org> wrote:
> On Aug 24, 2018, at 6:43 AM, Vladimír Čunát <vladimir.cunat+i...@nic.cz> > wrote: > > > > On 08/24/2018 02:01 AM, Paul Hoffman wrote: > >> Thoughts? > > > > Well, if the OS resolver is validating, it will SERVFAIL with such a > > query. > > The protocol requires special handling of those specific queries, so a > resolver that understands the protocol will give the desired answer. A > resolver that doesn't understand the answer will give NXDOMAIN even if it > is validating because that RRtype is not in the root zone. > (Haven't read the draft yet, but a quick comment on this point ..) Surely you mean NODATA (NOERROR + empty ANSWER section), since the root domain name exists. If validating, it would additionally provide the signed NSEC/NSEC3 record at the root disproving the existence of the RRtype. Shumon
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
