On Sun, Feb 28, 2021 at 12:32:23PM +1100, Mark Andrews wrote:
> It says that RRSIGs exist at that name.
But there is no *signed* RRSIG RRSet as such, and positive responses to
queries with type RRSIG are always insecure, and can always just be
outright lies, with no way to check.
Since the NSEC bitmap protects against NODATA forgery, it makes no sense
to include RRSIG here, because any RRSIG response can never be
validated.
So it makes no sense to include RRSIG in the NSEC bitmap. This still
looks like a mistake.
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
