On Sep 3, 2008, at 8:13 AM, Stephane Bortzmeyer wrote: > On Wed, Sep 03, 2008 at 11:33:54AM +1000, > Mark Andrews <[EMAIL PROTECTED]> wrote > a message of 24 lines which said: > >> A NXDOMAIN response if cyptographically proved with DNSSEC.
> 2) You are playing with words. > > "The domain example.org does not exist" can be cyptographically proved > with DNSSEC, that's correct. But you need NSEC* records to do so, you > cannot directly sign a NXDOMAIN response. Mark is not playing with words. His statement is absolutely correct. He did not state nor imply that the NXDOMAIN response is _signed_, nor that rcode=3 (name error) is _signed_. The header is indeed not signed with DNSSEC. The header includes the RCODE, therefor the RCODE is not signed. What can be _proved_ by validating a combination of records (an NXDOMAIN response), is that the rcode=3 (name error) is correct or not. I see Mark's message as a clarification, not a rebuttal. Roy _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
