On 2/28/21 3:24 AM, Paul Hoffman wrote:
On Feb 27, 2021, at 5:32 PM, Mark Andrews<[email protected]> wrote:
It says that RRSIGs exist at that name.
Could you say more? I don't understand the context here.
For example, "dig @f.root-servers.net -4 nl rrsig" gives a reply with no Answer
section.
Explicit QTYPE=RRSIG is a gray area, I believe. In some cases it could
be a DoS vector [1], and I don't know of a use case for such a query, so
it makes sense not to answer (in full). In your particular example, if
you ask for DS nl, you will get all RRSIGs for that name-type pair.
Overall, it's even explicitly standardized that RRSIGs do not form an
RRset; they're more like an appendage to the RRset they sign.
[1] https://tools.ietf.org/html/rfc8482#section-7
--Vladimir
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
