0

consider this zone:

example.org.    SOA (...)
a.example.org.  CNAME b
b.example.org.  CNAME c
c.example.org.  A 1.2.3.4

a query for "a.example.org. A" with DNSSEC and CNAME flattening enabled returns the following result:

;; ANSWER SECTION:
a.example.org.    CNAME b.example.org.
a.example.org.    RRSIG (...)
b.example.org.    CNAME c.example.org.
b.example.org.    RRSIG (...)
c.example.org.    A 1.2.3.4
c.example.org.    RRSIG (...)

;; AUTHORITY SECTION:

;; empty

shouldn't there be an NSEC record for each CNAME to prove there's no A record?

e.g:

;; AUTHORITY SECTION:

a.example.org.    NSEC b.example.org. CNAME RRSIG NSEC
a.example.org.    RRSIG (...)
b.example.org.    NSEC c.example.org. CNAME RRSIG NSEC
b.example.org.    RRSIG (...)
arash kordi
  • 101
  • 1
  • Who is your DNS provider? – Michael Hampton Jul 24 '18 at 13:27
  • 1
    Why do you want to get an NSEC record? You will get it if you ask for something non existing, if you ask for a CNAME you get the reply with the CNAME and the RRSIG, there is no need to give you an NSEC... And NSEC or not NSEC they can not be a CNAME and an A record at the same time on the same label... – Patrick Mevzek Jul 28 '18 at 19:23

0 Answers0