This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] DNSSEC breaks qmail

Previous message (by thread): [dns-wg] DNSSEC breaks qmail
Next message (by thread): [dns-wg] DNSSEC breaks qmail

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Peter Koch pk at DENIC.DE
Fri Feb 17 14:49:16 CET 2006

On Fri, Feb 17, 2006 at 02:39:02PM +0100, Roy Arends wrote:

> for authority and additional section information to be send to the stub. I 
> have no idea why an rfc4035 compliant resolver would send RRSIGs NSECs or 
> DNSKEYs to a stub if the DO bit was not set. ANY only covers those if 
> DO=1. [...]

section 3 of RFC 4035 (top of page 9) says:

   A security-aware name server that receives a DNS query that does not
   include the EDNS OPT pseudo-RR or that has the DO bit clear MUST
   treat the RRSIG, DNSKEY, and NSEC RRs as it would any other RRset and
   MUST NOT perform any of the additional processing described below.

"treat ... as it would any other RRset" would support ANY covering those,
which is consistent with RFC 3225.

-Peter

Previous message (by thread): [dns-wg] DNSSEC breaks qmail
Next message (by thread): [dns-wg] DNSSEC breaks qmail

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]