On Sep 11, 2020, at 6:29 PM, Robert Edmonds <edmo...@mycre.ws> wrote: > > Paul Hoffman wrote: >> The responses will be signed if the zone for which the server is >> authoritative is signed, meaning that validating resolvers can get >> authenticated information about the server if that would influence how they >> treat responses from the server. > > How does the zone signer know the capabilities of the nameservers that > will serve the zone and what does it do if the capabilities of those > servers differ?
Because the zone owner wrote an AUTHINFO RR into the zone. This is no different than any other record. > It sounds like this is incompatible with offline > signing. Not at all. Offline signing works on RRs. > Must a primary nameserver exclude AUTHINFO RR's from outgoing AXFRs to > secondary nameservers? No. > Must secondary nameservers fail, filter, or > replace an incoming AXFR if it contains an AUTHINFO RR? No. > By making this > an RR it seems like it would be easy to inadvertently serve an incorrect > AUTHINFO RR. In what case would a secondary have different information than the primary? > I think this should be an EDNS option rather than an RR and if integrity > protection beyond that of plain DNS is needed, it can be combined with > COOKIE, SIG(0), TSIG, DoT, etc. Again, we're fine with using an EDNS option if people don't want the information signed or cached. This seems like a steep limitation for benefits I still don't see (as shown above), but if that's what the WG wants, it's an easy change to make. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
