Re: [DNSOP] 4035 3.1.4.1 erratum? dig ds root-servers.net @X.root-servers.net

神明達哉 <jinmei@wide.ad.jp> Fri, 05 January 2018 18:27 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B4F712D838 for <dnsop@ietfa.amsl.com>; Fri, 5 Jan 2018 10:27:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HRx1nrG-ysST for <dnsop@ietfa.amsl.com>; Fri, 5 Jan 2018 10:27:34 -0800 (PST)
Received: from mail-wr0-x22a.google.com (mail-wr0-x22a.google.com [IPv6:2a00:1450:400c:c0c::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 286FC1270B4 for <dnsop@ietf.org>; Fri, 5 Jan 2018 10:27:34 -0800 (PST)
Received: by mail-wr0-x22a.google.com with SMTP id p6so5066051wrd.0 for <dnsop@ietf.org>; Fri, 05 Jan 2018 10:27:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=HM3U972vJ/i1aiinBlYOEUtnL124uSp+Z1czJrAhe/8=; b=WiXFzuL2IpZuiRgIZv0H0cNHNW4rRfFmDkFn6UvakVaW7tg8qqK/IXNisfOnSNtFst qDyn5+V+pC1ueiqcaUEjBIpBcf1Gr+QTFc6RX1tmUAkj6V721lc/6qhihi/kivd0svpb NDI77FGqupnwslA8MGvDpLlvhcjMgFedmxAuzlKJgBX98xazF1GwbYe0yhLpuRu9J0ci eUMSck7fT0v3uqWsf3874J/wCFg0DMm+aYMw80/OuM+Pkf6NyWbnhfb4Ih6OGPiHfbTl Tl+DYYiL/T2mgbnuH80kvLwpdA8jreReJSA/k2tEzM5QknNa81N0pl6YDQQAnNSGthqz NxSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=HM3U972vJ/i1aiinBlYOEUtnL124uSp+Z1czJrAhe/8=; b=uWp3x5fQnrw7GM/naR6C5e21CK5+NUMGnw8B0XSjFAhOTK02m9FMfxwbaCxu5gh4+p I4QSBlyl3qiF26HViqUSa4XmDqnFslCsI3QeExtOgJCZZS17Uxwl1nq3HfyV1xvD0p6Y UVrcS2V6EsBhh8nUq99MqgecNh0QXEo5gTnwlUsEtxgqSrj+vAh5ij+apwm9EXPxgnkp f+PqxjEnYZwizsNu+6lLYtQ1KXkdJWFS3U/AKhnexGfoGXQodkeM0krUM51kPmwbPLuk h0jgFBq+AmctjCszMDESn2e7xTeMNZ6VG+vPt9sW69C7he1V58mWOEGhSwS+SgExGFWX IBTQ==
X-Gm-Message-State: AKGB3mKdd30Ky2HxH9nm5uNb5f3np7UExhZDwcMJLKiRlvnxMMA49F/f 0UhweRBCRS6c7QEbOSv7rbSxWB9ym/YKHgT5Q0c=
X-Google-Smtp-Source: ACJfBottHCN1RBvxQdjr+CFvzBcEK8Thld9PgfLy+eS7/E60FTMWiwE1cvFAlycquIK3vK/9Vx+kV2oSnFNx48/VZ7Q=
X-Received: by 10.223.201.129 with SMTP id f1mr3272988wrh.274.1515176852550; Fri, 05 Jan 2018 10:27:32 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.223.169.225 with HTTP; Fri, 5 Jan 2018 10:27:31 -0800 (PST)
In-Reply-To: <7EF7E67D-E013-44FF-83D5-C35E197F4B8B@isc.org>
References: <E361FA78-84DF-4B42-AFAC-C8C6CC140158@powerdns.com> <7EF7E67D-E013-44FF-83D5-C35E197F4B8B@isc.org>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Fri, 05 Jan 2018 10:27:31 -0800
X-Google-Sender-Auth: Yud8TLT4ysvQGgY4mrfovpssa3w
Message-ID: <CAJE_bqeUjtFfWzJA56O-Y68Zbke3U4w-PUFhaC4nfcsy0a3J8A@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Peter van Dijk <peter.van.dijk@powerdns.com>, dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xR_Z1JtlFO7grPpI5laA5J42D5A>
Subject: Re: [DNSOP] 4035 3.1.4.1 erratum? dig ds root-servers.net @X.root-servers.net
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jan 2018 18:27:36 -0000

At Thu, 4 Jan 2018 08:12:26 +1100,
Mark Andrews <marka@isc.org> wrote:

> The reply also has to work for STD13 clients which already know
> about the child zone. The NODATA response is the correct one despite
> it requiring more work for a DNSSEC client.

Section 2.2.1.1 of RFC 3658 also explains that point:

   [...]  As these queries are only expected to originate
   from recursive nameservers which are not DS-aware, the authoritative
   nameserver MUST answer with:

      RCODE:             NOERROR
      AA bit:            set
      Answer Section:    Empty
      Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)]

   That is, it answers as if it is authoritative and the DS record does
   not exist.  DS-aware recursive nameservers will query the parent zone
   at delegation points, so will not be affected by this.

--
JINMEI, Tatuya