In message <a06240800cca2fabab5eb@[192.168.129.6]>, Edward Lewis writes: > At 14:22 -0400 10/12/12, Paul Wouters wrote: > > >Which approach is more correct"? I am leaning towards opendnssec. > > Using the choices above, opendnssec is correct. Once the NS set > returns, the address records are demoted from authoritative data to > glue. (Akin to occluded records arising from dynamic update adding a > DNAME or NS set.) > > The software tools performing the signing function ought to detect > this demotion and decide to remove the signature records for what has > become glue.
There is nothing wrong with the signature remaining. Authoratitive servers are supposed to ignore them when generating responses to QUERIES other than AXFR/IXFR the same as they ignore all other types other than A and AAAA. > >(and if there are bind/opendnssec devs here, how to I get these two > > signers to behave the same regarding this issue, to avoid hitting > > a false positive of a broken signer engine) > > I suppose (not speaking as a developer of the tools) if you were to > force a "batch" signing of the zone in BIND, including manually > removing all signatures the glue records would not get signatures. > This solution doesn't scale well though, as you might imagine. > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Edward Lewis > NeuStar You can leave a voice message at +1-571-434-5468 > > 2012...time to reuse those 1984 calendars! > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
