[dns-wg] DNSSEC breaks qmail

dns-wg-admin at ripe.net wrote on 17-02-2006 14:49:16:

> On Fri, Feb 17, 2006 at 02:39:02PM +0100, Roy Arends wrote:
> 
> > for authority and additional section information to be send to the 
stub. I 
> > have no idea why an rfc4035 compliant resolver would send RRSIGs NSECs 
or 
> > DNSKEYs to a stub if the DO bit was not set. ANY only covers those if 
> > DO=1. [...]
> 
> section 3 of RFC 4035 (top of page 9) says:
> 
>    A security-aware name server that receives a DNS query that does not
>    include the EDNS OPT pseudo-RR or that has the DO bit clear MUST
>    treat the RRSIG, DNSKEY, and NSEC RRs as it would any other RRset and
>    MUST NOT perform any of the additional processing described below.
> 
> "treat ... as it would any other RRset" would support ANY covering 
those,
> which is consistent with RFC 3225.
> 
> -Peter

Maybe this helps:

3.2.  Recursive Name Servers

3.2.1.  The DO Bit

   The resolver side of a security-aware recursive name server MUST set
   the DO bit when sending requests, regardless of the state of the DO
   bit in the initiating request received by the name server side.  If
   the DO bit in an initiating query is not set, the name server side
   MUST strip any authenticating DNSSEC RRs from the response but MUST
   NOT strip any DNSSEC RR types that the initiating query explicitly
   requested.

The important part is the last full sentence.

Roy