On 3/11/21 9:21 AM, Matthijs Mekking wrote:
which apparently has a DS at the apex of the child zone, which is
somewhere between 'useless' and 'wrong'.
It is more wrong than useless: From RFC 4035:
All DS RRsets in a zone MUST be signed, and DS
RRsets MUST NOT appear at a zone's apex.
I've also encountered DS in the middle of a zone -- i.e. on a name
without NS, in this case also with some child names existing within the
same zone.
I didn't find that it's really forbidden, but on the other hand I've had
no motivation to fix Knot Resolver's forwarding+validation mode to
tunnel through such an obstacle. That zone got fixed eventually, too.
--Vladimir
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
