On Fri, 19 Oct 2012, Mark Andrews wrote:
The software tools performing the signing function ought to detect
this demotion and decide to remove the signature records for what has
become glue.
There is nothing wrong with the signature remaining. Authoratitive
servers are supposed to ignore them when generating responses to
QUERIES other than AXFR/IXFR the same as they ignore all other types
other than A and AAAA.
Will dnssec-signzone's behaviour be modified to ensure these RRSIGs are
removed from the zone, or is it going to leave that up to the name server?
For those of us using multiple engines, the difference is a problem,
even if the nameserver would not actually serve the records.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
