Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > > > No, you need to lookup the domain's DS records to determine its DNSSEC > > status. > > Actually, I chose my recommendation of SOA lookup after some thought > and with care. A domain may have no DS records, and yet be signed > because it is not a (delegated) zone apex domain. Furthermore, an > SOA query elicts data from the domain itself, not the parent, and > thus ensures that any published DS records up the tree yield working > signatures for records in the zone containing the domain.
OK I thought you meant to query for the SOA of the zone containing the CAA domain, and I meant to query for the closest enclosing negatively or positively resolvable DS. The CAA search has to walk the DNS tree anyway, so finding the closest enclosing DS is a similar kind of process. > If the SOA lookup fails, then the domain is severely broken No, it might just be private. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Tyne, Dogger, Fisher, German Bight, Humber, Thames: South or southwest 6 to gale 8, occasionally severe gale 9 except Tyne. Rough or very rough, occasionally very high for a time in Biscay. Rain or showers. Good, occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
