In message <CAN6NTqxTA5Zo-tFS3TkQ4V08BZq_UyRN4ZQ_=knob0urnct...@mail.gmail.com> , =?UTF-8?B?w5NsYWZ1ciBHdcOwbXVuZHNzb24=?= writes: > > On Sun, Oct 4, 2015 at 7:32 AM, Dave Lawrence <t...@dd.org> wrote: > > > A couple of quick observations: > > > > * The draft says that the answer in a signed zone MAY be unsigned. > > Since this will ultimately cause a SERVFAIL for validating > > resolvers, it is not really acceptable. > > > > You and Evan, > are right we will update the document to reflect this, as returning > unsigned answers is only > accepted by non-validating resolvers and figuring out if resolver is > validating requires tracking resolver behavior > thus it is simpler and cheaper to sign. > Servers with Off-line signed zones have more to gain from this > functionality. > > > > > > * The draft does not describe at all what the proper behaviour is for > > an owner name that has a CNAME record. Since CNAMEs require special > > handling, this should be addressed. Personally I think the CNAME > > should be returned in this case. > > > > good point, we will address it > > Olafur
Given * doesn't recurse for CNAME and CNAME can only exist with NSEC/KEY/RRSIG I would suggest that CNAME + RRSIG is returned. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
