[nsd-users] wildcard+ANY validation issue between NSD and Unbound

Miek Gieben miek at miek.nl
Fri Feb 24 16:00:21 UTC 2012

[ Quoting <peter.van.dijk at netherlabs> at 14:37 on Feb 24 in "Re: [nsd-users] wild..." ]
> > That's because ANY has been loosly defined (I'm not sure there is a written
> > down definition) as give me the records you've got. In case you hit a
> > cache with an ANY query there is no guarantee what so ever that it should
> > all validate. I think that even for authoritative servers you can pretty
> > much do what you want if it receives a QTYPE = ANY.
> While that is true, I feel that whatever an auth chooses to serve up
> for ANY would still consist of zero or more RRsets, which means the
> RRSIGs and NSECs that go with them could validate. Right?

That would indeed be a nice thing to do if you are an auth. server. But such
a rule still doesn't help a resolver hitting a cache (which, for whatever
reason, just doesn't have the RRSIG).

grtz Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120224/d4e273af/attachment.bin>

More information about the nsd-users mailing list