On Feb 28, 2021, at 11:35 AM, Vladimír Čunát <[email protected]> wrote: > > On 2/28/21 3:24 AM, Paul Hoffman wrote: >> On Feb 27, 2021, at 5:32 PM, Mark Andrews <[email protected]> >> wrote: >> >>> It says that RRSIGs exist at that name. >>> >> Could you say more? I don't understand the context here. >> >> For example, "dig @f.root-servers.net -4 nl rrsig" gives a reply with no >> Answer section. >> > Explicit QTYPE=RRSIG is a gray area, I believe.
If that's true, then it argues for an update to the simple sentences in RFC 4035. > In some cases it could be a DoS vector [1], and I don't know of a use case > for such a query, so it makes sense not to answer (in full). In your > particular example, if you ask for DS nl, you will get all RRSIGs for that > name-type pair. Overall, it's even explicitly standardized that RRSIGs do > not form an RRset; they're more like an appendage to the RRset they sign. > > [1] https://tools.ietf.org/html/rfc8482#section-7 [tools.ietf.org] That RFC (a) doesn't update RFC 4025 and (b) is only about QTYPE of "ANY". --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
