On Sat, 5 Oct 2024, Philip Homburg wrote:
If a stub resolver askes for a.b.c.d.example and d.example does not exist then example is the target zone. It is also a TLD, but if d.example does not exist then any query for a.b.c.d.example is directed at the zone example.
Right.
The question then becomes how likely it is that clients construct such names. I can imagine somebody typing a long name and making a mistake somewhere. But who does that these days.
I have no idea, although I do know that over 3 million domains expire from .COM every month so if nothing else you'll have people looking for names that used to exist but don't any more.
So I guess that any query that arrives at a recursive resolver with DO and optionally CD set could be from an unmodified DNSSEC validator. So the recursor has to obtain the NODATA result for a.b.c.d.example.
Other way around, if the client doesn't understand NXNAME, the recursive needs to get the real signed NXDOMAIN to pass along.
R's, John _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
