On 26/10/2015 06:39, Paul Vixie wrote: > sanity check, someone? > > i believe that in dnssec, an empty non-terminal has a proof that the > name exists, and a proof that there are no RR's. thus, vastly > different from the signaling for NXDOMAIN.
RFC 4035 §3.1.3.2 appears to say differently :( The subject of that section is "Including NSEC RRs: Name Error Response", and it says: "Note that this form of response includes cases in which SNAME corresponds to an empty non-terminal name within the zone (a name that is not the owner name for any RRset but that is the parent name of one or more RRsets)." Paul and I already exchange mail off-list - I think we're both equally surprised at the above. Clarification from the authors of the rationale for this would be useful here! Ray _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
