Re: Empty non-terminals and NSEC records

[Rob Austein <sra+namedroppers@hactrn.net>]

At Wed, 03 Dec 2003 15:49:07 +0100, Erik Rozendaal wrote:
> 
> The example zone in the draft-ietf-dnsext-dnssec-protocol-03.txt document 
> contains the following records (among others and excluding RRSIG records):
> 
>     ns2.example.   3600 IN A   192.0.2.2
>                    3600 NSEC   *.w.example. A RRSIG NSEC
>     *.w.example.   3600 IN MX  1 ai.example.
>                    3600 NSEC   x.w.example. MX RRSIG NSEC
> 
> Notice there are no RRs for the w.example. domain, making it an empty 
> non-terminal.  According to the original DNS RFCs empty non-terminals do 
> exist (in other words, querying for w.example. will not result in NXDOMAIN 
> but in NODATA).
> 
> However, the signed version does not include proper NSEC records for 
> w.example.  Is this intentional and expected behaviour?

Er, if empty non-terminal nodes had NSEC RRs, they wouldn't be empty.

The approach we took in the DNSSECbis docs was to talk about RRsets
and owner names of RRsets rather than name existance per se.

If you're asking what the form of a response should be for a query
w.example, it'd be the form covered in 3.1.3.2: note that section
3.1.3.2 deliberately does not specify the RCODE.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>