At Thu, 4 Jan 2018 08:12:26 +1100, Mark Andrews <ma...@isc.org> wrote:
> The reply also has to work for STD13 clients which already know > about the child zone. The NODATA response is the correct one despite > it requiring more work for a DNSSEC client. Section 2.2.1.1 of RFC 3658 also explains that point: [...] As these queries are only expected to originate from recursive nameservers which are not DS-aware, the authoritative nameserver MUST answer with: RCODE: NOERROR AA bit: set Answer Section: Empty Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)] That is, it answers as if it is authoritative and the DS record does not exist. DS-aware recursive nameservers will query the parent zone at delegation points, so will not be affected by this. -- JINMEI, Tatuya _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop