To:
dnssec@cafax.se
Cc:
nsd-team@nlnetlabs.nl
From:
"Olaf M. Kolkman" <olaf@ripe.net>
Date:
Wed, 3 Apr 2002 15:15:34 +0200
Sender:
owner-dnssec@cafax.se
Subject:
OPT-IN and response synthesis clarification needed
Suppose we have the following zone file (you'll understand the
shorthand I'm sure):
$ORIGIN greek
@ SOA
SIG(SOA) greek 1
KEY 1
NXT alpha
alpha A 10.0.0.1
SIG(A) greek 1
NXT-OPT zeta (opt in style)
SIG (NXT) greek 1
lambda A 10.0.0.4
SIG(A) greek 1
omega A 10.0.0.5
SIG(A) greek 1
NXT greek.
Should the answer for a query for QNAME=lambda.greek QTYPE=A with the
DO bit generate an aswer with the SIG included in the answer section?
The reason for inclussion is to allow resolvers that explicitly trust
the greek key 1 to verify the data. On the other hand the zone owner
states explicitly that lambda.greek is not secured.
I would say that you should include the SIG and leave it to the
resolvers policy to either trust the OPT-IN NXT and ignore the SIG or
to ignore the OPT-IN NXT and trust the SIG.
Is this the proper approach?
--Olaf
P.S. Should this go to namedroppers?
--------------------------------------------| Olaf M. Kolkman
| www.ripe.net/disi