On 15 Apr 2019, at 13:40, Gert van Dijk wrote:
On Mon, Apr 15, 2019 at 1:17 PM Bart Mortelmans <power...@bart.bim.be>
wrote:
It seems like this doesn't cause any problems in the real world, only
in a
test like the one on internet.nl. But as far as I can tell, it's not
okay
with RFC8020.
It will break DNSSEC for any names under the NXDOMAIN.
Very interesting read, thanks. I was looking for such a rule in other
RFCs
while writing a reply to Steffan, but it appears to be in a separate
RFC on
its own. :-)
8020 makes explicit what was implicit already - if there is something
below a name, the name itself should exist as well.
FWIW, PowerDNS is not stating to be compliant with that RFC. [1] :-(
The auth is compliant with the behaviour required by the RFC. The
recursor does not implement 8020. I’ll update the page.
I'm running PowerDNS Authoritative 4.2.0-rc1 with the BIND Backend and
it
responds as it should, without having any RR on name '_domainkey' for
the
zone! The domain passes the test just fine.
Perhaps this is specific to the backend?
Yes. In the bindbackend, this is automatic. With database backends, a
NULL record needs to be inserted. pdnsutil rectify-zone will do this for
you.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
