Edward Lewis wrote on 12/19/2006 06:14:26 PM:

> At 17:38 +0100 12/19/06, Roy Arends wrote:
> >You want to be sure the NSEC record is from the correct zone, lets say
> >"from the zone that has the authority to make that claim", and not from

> >ancestor zone.

> The only time the bit map will give a hint whether the NSEC is right
> or not is when it is parent/child involved, when the owner name is
> the same between two NSEC choices.

root: com NSEC edu NS DS
tld: example.com NSEC lewis.com NS DS
sld: www.example.com NSEC example.com A

QNAME is www.example.com

The spoofed response contains: com NSEC edu NS DS

This is obviously from an ancestor (grandpa in this case), not the parent.

This was about terminology, not the rules itself, so I don't see what the
rest of your response about rules and ways to check, etc, etc has to do
with my point about terminology.

Roy Arends
Nominet UK

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.