Ticket #10 (defect)
Opened 3 years ago
Last modified 3 years ago
NSEC3 checks in bind are incomplete
Status: new
| Reported by: | ben | Assigned to: | ben |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | bind-patches | Version: | |
| Severity: | normal | Keywords: | |
| Cc: |
NSEC3 should check that:
a) All NSEC3s come from the same zone b) None of them prove an NS that delegates to qname (or records from a parent zone can be used for denial).
Change History
11/02/05 15:57:56: Modified by ben
11/13/05 14:26:48: Modified by ben
- component changed from drafts to bind-patches.
David Blacka says: "Actually, there are two rules here: for negative responses to non-DS queries, if there is a NS bit, there must also be the SOA bit. For DS queries, you want the opposite (since that answer must come from the parent): if there are NS bits, there must not be the SOA bit.