> On 8 Aug 2023, at 11:27, Shumon Huque <shu...@gmail.com> wrote: > > On Mon, Aug 7, 2023 at 9:20 PM Mark Andrews <ma...@isc.org> wrote: > > You can’t query for NSEC3 records. NSEC3 names do not prevent wildcard > matches nor are NSEC3 records or their RRSIGs returned for * queries at the > hashed name. They are pure metadata. NSEC3 records and their RRSIGs exist > in their own namespace. > > I'm well aware. > > My comment was specifically related to the constraint that NSEC records > cannot be the sole record type owned by a domain name. That constraint was in > 4035 though, and perhaps cannot even be extrapolated to NSEC3.
The different namespaces preclude there being such a record additionally it is noted that NSEC3 will never appear in the types bit map. Similarly RRSIG can’t appear by itself. o The Type Bit Maps field of every NSEC3 RR in a signed zone MUST indicate the presence of all types present at the original owner name, except for the types solely contributed by an NSEC3 RR itself. Note that this means that the NSEC3 type itself will never be present in the Type Bit Maps. > Shumon. > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
