In your letter dated 5 Oct 2024 14:03:42 -0400 you wrote: >> So I guess that any query that arrives at a recursive resolver with DO and >> optionally CD set could be from an unmodified DNSSEC validator. So the >> recursor has to obtain the NODATA result for a.b.c.d.example. > >Other way around, if the client doesn't understand NXNAME, the recursive >needs to get the real signed NXDOMAIN to pass along.
If a recursive resolver passes NXDOMAIN to a requesting validator, then the result has to prove NXDOMAIN, so there has to be either an NSEC or NSEC3 record that proves that the name does not exist. If the authoritative proves NODATA, then this will fail. _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
