> On Jan 29, 2020, at 9:11 AM, Tony Finch <d...@dotat.at> wrote:
>
> Shane Kerr <sh...@time-travellers.org> wrote:
>>
>> * Returning the entire signed SOA in the additional section, rather than
>> just the serial in an EDNS record (for DNSSEC validation purposes).
>
> I think it would be more traditional to put it in the AUTHORITY section :-)
I see the ":-)", I take it you're not actually suggesting this...
If the reply is an authoritative negative reply, it will already have
an SOA in the authority section and EDE option repeating the same is
then clearly redundant. Which argues in favour of doing this, ...
BUT, a gratuitous SOA in the authority section will likely also require
a corresponding RRSIG, which noticeably raises the packet size of the
response making the debugging option too costly, possibly leading to
truncation (defeating the intent to debug the response as-is).
Since this is for debugging only, no RRSIG is needed, and using an
EDE option for the response seems to make sense.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
