On Sunday, 19 April 2020 16:49:36 UTC Viktor Dukhovni wrote: > ... > > > Could this work if the authoriative server returned an RRSIG signature > > of an empty TLSA RRset? > > An interesting hypothetical, my take is "no", that's what NSEC is for. > > signed_data = RRSIG_RDATA | RR(1) | RR(2)... where > > seems to suggest that there's at least an RR(1), but indeed the language > is not 100% clear on whether signatures of empty RRsets are valid.
if the rrset is empty, a validator is within its rights not to look for an RRSIG at all. so, generating one even if possible would be fruitless. -- Paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
