Petr Špaček <petr.spa...@nic.cz> wrote:
>
> The casse QTYPE=RRSIG should be made more prominent so it is understood
> and not misused as ANY. There are implementations like Knot Resolver
> which are work around missing RRSIG records in replies using
> QTYPE=RRSIG.
Gosh! In what situations do you get missing RRSIGs? Is that not a sign
that either your upstream server doesn't support DO=1, or that you are
under attack from a malefactor / middlebox? Why not re-query a different
upstream server with the full query?
The BIND 9.11 minimal-any implementation treats RRSIG queries similarly to
ANY queries, so it only returns one RRset's RRSIGs (i.e. a subset of the
RRSIGs all with the same type-covered field).
Cloudflare's response to RRSIG queries is REFUSED. Negligible risk of
interop problems in this case, unlike ANY.
I think RRSIG is a diverting sideshow. It might merit a mention in the
abstract but I don't think it needs to be in the title.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
South Fitzroy: Northeasterly 5 or 6, occasionally 7. Moderate or rough. Mainly
fair. Mainly good.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
