[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNSEXT WG LAst Call: Dnssec OK bit.
- To: Mark Kosters <markk@netsol.com>
- Subject: Re: DNSEXT WG LAst Call: Dnssec OK bit.
- From: Olafur Gudmundsson <ogud@tislabs.com>
- Date: Thu, 30 Nov 2000 12:12:39 -0500
- Cc: DNSEXT WG Mailing list <namedroppers@ops.ietf.org>
- Delivery-date: Thu, 30 Nov 2000 09:14:13 -0800
- Envelope-to: namedroppers-data@psg.com
At 09:41 AM 11/30/00, Mark Kosters wrote:
>Olafur
>
>On Wed, Nov 29, 2000 at 02:26:15PM -0500, Olafur Gudmundsson wrote:
> > This draft is on standards track, if you disagree with that please
> state why
> > in your response.
>
>I'm not sure I disagree but am curious for further rationale. In the
>latest version of this draft a part of section 3 was rewritten to say:
Because draft updates RFC2535 it must be standards track unless there is
a good reason other wise.
># More explicitly, DNSSEC-aware nameservers MUST NOT insert SIG, KEY,
># or NXT RRs to authenticate a response as specified in [RFC2535]
># unless the DO bit was set on the request. Security records that match
># an explicit SIG, KEY, NXT, or ANY query, or are part of the zone data
># for an AXFR or IXFR query, are included whether or not the DO bit was
># set.
>
>Why is an ANY query listed along with SIG, KEY, and NXT? SIG, KEY, and NXT
>have explicit security context whereas ANY does not. To me, an ANY query
>is ambiguious at best should have the OK bit set for a RFC2535 response.
Answering for David, (the editor without his permission)
This is a clarification on what to do on an ANY query, sending S+N+K
records back to an ANY query is the right thing to do as they are records
stored at that name.
The thrust of the draft is to say only do RFC2535 record additions when
OK bit is set, but do not suppress the S+N+K records on explicit queries
even if the OK bit is not there.
Olafur
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.