MoinQ:

1. DNS/用語/wildcards/closest_encloser

について、ここに記述してください。

Notes on the DNSSEC standard : http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/NotesOnDNSSSEC.htm

Cache structure and Wildcard responses

NSEC Non-existence proofs

(3) "Closest encloser"

This is the longest ancestor of SNAME that "exists" ( it can be an empty non-terminal ).

SNAME is the name where the NoData or NxDomain authentication is being performed, as per RFC 1034 section 5.3.2.

We find the closest encloser by inspecting the names in the NSEC records present in the response ( both the Owner name and the NextName ).

If no ancestor of SNAME is found, the response is bogus.

Example : suppose the query is [b.c.d.example.com MX], and the response has the NSEC record

The closest encloser is b.c.d.example.com.