Non-recursive nameserver response to DS request
Chris Thompson
cet1 at cam.ac.uk
Thu Nov 14 16:24:09 UTC 2013
A user here was confused by the fact that
dig -t DS cam.ac.uk @authdns0.csx.cam.ac.uk
gives an (authoritative!) "nodata" response. (Well actually he was using
"host" rather than "dig", but the principle is the same.)
The server is authoritative-only and gives REFUSED when queried about
other zones, so my first thought was that it ought to have deduced
that the DS record for cam.ac.uk lives in ac.uk, and that is not one
of the zones it is authoritative for, and so REFUSED would be the right
response.
If the nameserver is authoritative for both parent and child, and
the DS record for the child is requested, it correctly returns the
one from the parent zone. Well, obviously this must work, as the
situation is common.
So is this a BIND bug? Or is it somehow allowed by small print in
the RFCs somewhere?
[Adding +dnssec provides a response that proves there is no DS
record for cam.ac.uk in the zone cam.ac.uk, which of course is true.]
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list