See B.8. in RFC 4035. This is a provable NODATA that servers for a zone return when they serve the zone in the QNAME and not the immediate parent. As the root zone does not have a parent zone this is the answer that needs to be validated and returned.
> On 23 Jul 2025, at 14:28, Petr Špaček <[email protected]> wrote: > > On 23. 07. 25 12:45, Philip Homburg wrote: >>>> ./DS is NOERROR NODATA. This is RFC described behaviour >>> >>> Which part of which RFC? I, too, am not finding this, but you seem >>> sure it is in the RFCs. >> In my experience, if a DS query arrives at an authoritative and the name >> is in a zone served but not part of a delegation or below a delegation then >> DS will be treated like any other type. >> I'm not aware of any part of an RFC that requires the server to do anything >> different in this case. >> The funny thing is that because DS is a parent-side type, at a delegation >> it is also a completely normal in-zone lookup that can result in either >> an answer or a NODATA response. > > That's besides the point. My initial question was explicitly about: > > RFC 1034 5.3.3. Algorithm > RFC 4035 4.3. Determining Security Status of Data > > I.e. resolver and validator. > > At the moment 8.8.8.8, 1.1.1.1, BIND 9.21.10 and Knot Resolver running DNS4EU > give three different combinations of (RCODE, AD bit). > > -- > Petr Špaček > > -- > dd mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
