Paul Vixie wrote:
>>>So an NSEC3 nameserver will have to explicitly prove the non-existence
>>>of an NS record at each label up to the closest non-empty encloser by
>>>returning the appropriate NSEC3 record of each parent label.

>>
>>No, because there should be no records below the NS record in the parent
>>zone, so if there is an NS, it will be at the closest encloser. The same
>>argument applies to NSEC, as far as I can see.

>
>
> i don't think this holds. the parent can contain in-child glue, which
> will never appear in answer sections. this is how zones are "reachable"
> even if all nameservers are in-zone or below-zone. that means
>
> $ORIGIN .
> net NS a.gtld-servers.net.
> a.gtld-servers.net. A i.p.v.4


Glue records are not authoritative, so they don't appear in NSEC(3)s.

Cheers,

Ben.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: