This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC breaks qmail
- Previous message (by thread): [dns-wg] DNSSEC breaks qmail
- Next message (by thread): [dns-wg] DNSSEC breaks qmail
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Peter Koch
pk at DENIC.DE
Fri Feb 17 14:49:16 CET 2006
On Fri, Feb 17, 2006 at 02:39:02PM +0100, Roy Arends wrote: > for authority and additional section information to be send to the stub. I > have no idea why an rfc4035 compliant resolver would send RRSIGs NSECs or > DNSKEYs to a stub if the DO bit was not set. ANY only covers those if > DO=1. [...] section 3 of RFC 4035 (top of page 9) says: A security-aware name server that receives a DNS query that does not include the EDNS OPT pseudo-RR or that has the DO bit clear MUST treat the RRSIG, DNSKEY, and NSEC RRs as it would any other RRset and MUST NOT perform any of the additional processing described below. "treat ... as it would any other RRset" would support ANY covering those, which is consistent with RFC 3225. -Peter
- Previous message (by thread): [dns-wg] DNSSEC breaks qmail
- Next message (by thread): [dns-wg] DNSSEC breaks qmail
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]