[nsd-users] wildcard+ANY validation issue between NSD and Unbound

Peter van Dijk peter.van.dijk at netherlabs.nl
Fri Feb 24 13:37:42 UTC 2012


On Feb 24, 2012, at 14:28 , Miek Gieben wrote:

> [ Quoting <peter.van.dijk at netherlabs> at 13:12 on Feb 24 in "[nsd-users] wildcard..." ]
>> RFC4035 appears not to cover the interaction between ANY and NSEC at
>> all.
> 
> That's because ANY has been loosly defined (I'm not sure there is a written
> down definition) as give me the records you've got. In case you hit a
> cache with an ANY query there is no guarantee what so ever that it should
> all validate. I think that even for authoritative servers you can pretty
> much do what you want if it receives a QTYPE = ANY.

While that is true, I feel that whatever an auth chooses to serve up for ANY would still consist of zero or more RRsets, which means the RRSIGs and NSECs that go with them could validate. Right?

Kind regards,
Peter van Dijk



More information about the nsd-users mailing list