At 17:38 +0100 12/19/06, Roy Arends wrote:

>You want to be sure the NSEC record is from the correct zone, lets say
>"from the zone that has the authority to make that claim", and not from an
>ancestor zone.

The only time the bit map will give a hint whether the NSEC is right
or not is when it is parent/child involved, when the owner name is
the same between two NSEC choices.

It's possible that an NSEC owned by an ancestor label will not have
any delegation information. - A AAAA NSEC DNSKEY RRSIG - SOA NS NSEC DNSKEY RRSIG or NS DS NSEC DNSKEY RRSIG - TXT - same as foo-bar-...
com - ditto
.. - just the second half of the above

Come to think of it, none of the ancestor NSECs would cover the last
anyway - all of the next names would be at or before the next name

>I was ranting against the use of the word 'parent' instead of ancestor.
>that is all.

In this case, it would seem that parent is more accurate than ancestor.

Also, keep in mind that the NSEC has to be signed by it's zone - that
ought to give away the authority of the NSEC. The only reason the
bitmap comes up is if you want to avoid having to look at the RRSIG.
Edward Lewis +1-571-434-5468

Dessert - aka Service Pack 1 for lunch.

to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.