validation should only consist of checking that each key in the key set
is also in the list of security root keys.
Strangeness occurs when the key set is signed, since the key set is marked
as secure, but the sig set is not, since it wasn't used in the validation
process. This means that a query for a key set at a security root will
have the AD bit set if the key set is unsigned and not if the key set is signed.
match does not have associated data and DNS_RBTFIND_EMPTYDATA is not set.
Return DNS_R_PARTIALMATCH instead if there is a superdomain with
data, or ISC_R_NOTFOUND if no superdomain has data.
Make dns_rbt_findname() honor DNS_RBTFIND_EMPTYDATA, per the rbt.h
documentation that has been saying it will. It didn't.
the DNS_DB_NOEXACT flag. This means that the resolver will start look for the
key at or above the parent zone, and will return the key set from the parent
zone if key sets are present in both the parent and child.
DNS_R_DELEGATION, don't use the domain & ns set found by dns_db_find().
This means that a recursive server will not immediately ask the child zone
for a key set at the apex; the resolver will determine who to ask.
algorithm to more closely follow RFC1035, so that root servers will
provide a more complete set of name server glue addresses in ccTLD
referral responses.
For non-referral responses, the server no longer uses glue as
additional data.
For referral responses, the servers now looks for glue A/AAAA/A6 RRs
in the zone where the NS RRs reside, even in the case where this is
different from the zone where the A/AAAA/A6 RRs would have resided had
they been authoritative data.
A6 chains included as additional info may not yet fully follow these
rules.
algorithm to more closely follow RFC1035, so that root servers will
provide a more complete set of name server glue addresses in ccTLD
referral responses.
For non-referral responses, the server no longer uses glue as
additional data.
For referral responses, the servers now looks for glue A/AAAA/A6 RRs
in the zone where the NS RRs reside, even in the case where this is
different from the zone where the A/AAAA/A6 RRs would have resided had
they been authoritative data.
A6 chains included as additional info may not yet fully follow these
rules.
NULL. It appears that zone maintenance can occur when the zone is shutting
down and the view pointer is NULL. We don't want to do zone maintenance in
this case.
