Simon Josefsson wrote:
> Paul Vixie writes:

> > in that case, since the zone ends above the zonecut. A recursive server
> > should respond with a non-AA answer in that case. But the non-AA answer
> > should be first retrieved from the apex of the subzone, by following the
> > delegation, all without allowing an RD=1 query to affect subsequent RD=0
> > results. A dual-use server would therefore have to maintain separate NS
> > RRsets (and associated A/AAAA glue) for RD=0 vs RD=1 answers.

Algorithms 4.3.2 and 5.3.3 in RFC 1034 say that in the case RD=1 the query
will be answered by local data. So, if a server is authoritative for the
parent, but not for the child, a query would be satisfied from "local data",
i.e. the NS RRSet that's present in the parent. The response won't be
authoritative, but why should that matter? The problem seems to be that
you won't be able to receive a signed response this way. But then, why would
one ask for an NS RRSet in the first place (yeah, DynUpd, I know, but QTYPE
SOA is better here anyway)?

> Forbidding dual-use servers seem like a slightly unrealistic solution
> to me, given deployed use. Without understanding what the actual
> interoperability problems are (in contrast to implementation
> problems), it seems that there is no justification for that solution.

Agreed. "Don't" won't work. "Education" (quoting Olaf) will need to explain
the (theoretical) problem and its practical relevance.


to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.