[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSEXT WG LAst Call: Dnssec OK bit.

To: Olafur Gudmundsson <ogud@tislabs.com>
Subject: Re: DNSEXT WG LAst Call: Dnssec OK bit.
From: Mark Kosters <markk@netsol.com>
Date: Thu, 30 Nov 2000 09:41:27 -0500
Cc: DNSEXT WG Mailing list <namedroppers@ops.ietf.org>
Delivery-date: Thu, 30 Nov 2000 07:33:24 -0800
Envelope-to: namedroppers-data@psg.com

Olafur

On Wed, Nov 29, 2000 at 02:26:15PM -0500, Olafur Gudmundsson wrote:
> This draft is on standards track, if you disagree with that please state why
> in your response.

I'm not sure I disagree but am curious for further rationale.  In the 
latest version of this draft a part of section 3 was rewritten to say:

#    More explicitly, DNSSEC-aware nameservers MUST NOT insert SIG, KEY,
#    or NXT RRs to authenticate a response as specified in [RFC2535]
#    unless the DO bit was set on the request. Security records that match
#    an explicit SIG, KEY, NXT, or ANY query, or are part of the zone data
#    for an AXFR or IXFR query, are included whether or not the DO bit was
#    set.

Why is an ANY query listed along with SIG, KEY, and NXT? SIG, KEY, and NXT
have explicit security context whereas ANY does not. To me, an ANY query
is ambiguious at best should have the OK bit set for a RFC2535 response. 

Mark

-- 

Mark Kosters             markk@netsol.com       Verisign Applied Research
PGP Key fingerprint =  1A 2A 92 F8 8E D3 47 F9  15 65 80 87 68 13 F6 48

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Prev by Date: Re: DNSEXT WG Last Call: EDNS0.5
Next by Date: Re: DNSEXT WG LAst Call: Dnssec OK bit.
Prev by thread: DNSEXT WG LAst Call: Dnssec OK bit.
Next by thread: Re: DNSEXT WG LAst Call: Dnssec OK bit.
Index(es):
- Date
- Thread