At 14:22 -0400 10/12/12, Paul Wouters wrote:
Which approach is more correct"? I am leaning towards opendnssec.
Using the choices above, opendnssec is correct. Once the NS set returns, the address records are demoted from authoritative data to glue. (Akin to occluded records arising from dynamic update adding a DNAME or NS set.)
The software tools performing the signing function ought to detect this demotion and decide to remove the signature records for what has become glue.
(and if there are bind/opendnssec devs here, how to I get these two signers to behave the same regarding this issue, to avoid hitting a false positive of a broken signer engine)
I suppose (not speaking as a developer of the tools) if you were to force a "batch" signing of the zone in BIND, including manually removing all signatures the glue records would not get signatures. This solution doesn't scale well though, as you might imagine.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 2012...time to reuse those 1984 calendars! _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
