Re: [dnsext] bitmap inference was Re: ... - NXDOMAIN for emptynon-terminals

Edward Lewis <> Tue, 29 March 2011 18:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5841C3A6A82 for <>; Tue, 29 Mar 2011 11:32:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.58
X-Spam-Status: No, score=-102.58 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GgCJ9i6Ta67E for <>; Tue, 29 Mar 2011 11:32:22 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 873D03A6A7F for <>; Tue, 29 Mar 2011 11:32:22 -0700 (PDT)
Received: from Work-Laptop-2.local ( []) by (8.14.4/8.14.4) with ESMTP id p2TIXuMB066942; Tue, 29 Mar 2011 14:33:57 -0400 (EDT) (envelope-from
Received: from [] by Work-Laptop-2.local (PGP Universal service); Tue, 29 Mar 2011 14:33:57 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Tue, 29 Mar 2011 14:33:57 -0400
Mime-Version: 1.0
Message-Id: <a06240801c9b7d3b57307@[]>
In-Reply-To: <A5D8841CEB8F4BF9A007C8B6408C363C@local>
References: <><8EA8D1A36B8F49 68ABE973C39CA5E0E0@local><a06240800c9b78d52751f@[]><FCB25297B FF0419692724D36AF3BC99E@local> <a06240804c9b79c870558@[]><55128075215341BD92DCAAD00450FA85@l ocal> <a06240809c9b7b7143e51@[]> <3B987BF13718424BBA818C248C428E64@local> <a06240800c9b7c543104f@[]> <A5D8841CEB8F4BF9A007C8B6408C363C@local>
Date: Tue, 29 Mar 2011 14:33:35 -0400
From: Edward Lewis <>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on
Cc: Edward Lewis <>
Subject: Re: [dnsext] bitmap inference was Re: ... - NXDOMAIN for emptynon-terminals
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Mar 2011 18:32:24 -0000

At 19:14 +0100 3/29/11, George Barwood wrote:

>The standard ( ) says
>    The Type Bit Maps field identifies the RRset types that exist at the
>    NSEC RR's owner name.

It doesn't say "MUST".  That's giving the semantic meaning of the 
field.  And it doesn't say "when" existence is tested.

>That's clear and unambiguous, I cannot see how you can read that any 
>other way.
>But I'm going to stop here and see if others have views on this.

The problem is determining a if there is a protocol violation.

If you get this:

t=0 (Q:fqdn.tld./IN/AAAA):
fqdn.tld.   3600 IN NSEC other.tld. priv_type
t=5 (Q:fqdn.tld./IN/A):
fqdn.tld.   3600 IN A

How can you tell if I generated the NSEC regardless of the A record 
or just before the A record was added to the zone?  In the latter 
case, if you asked for the A you don't get the would-be-new NSEC.

Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
Son: "Waah!"