Paul Hoffman wrote: > The responses will be signed if the zone for which the server is > authoritative is signed, meaning that validating resolvers can get > authenticated information about the server if that would influence how they > treat responses from the server.
How does the zone signer know the capabilities of the nameservers that will serve the zone and what does it do if the capabilities of those servers differ? It sounds like this is incompatible with offline signing. Must a primary nameserver exclude AUTHINFO RR's from outgoing AXFRs to secondary nameservers? Must secondary nameservers fail, filter, or replace an incoming AXFR if it contains an AUTHINFO RR? By making this an RR it seems like it would be easy to inadvertently serve an incorrect AUTHINFO RR. I think this should be an EDNS option rather than an RR and if integrity protection beyond that of plain DNS is needed, it can be combined with COOKIE, SIG(0), TSIG, DoT, etc. -- Robert Edmonds _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
