On Jul 9, 2018, at 02:02, George Michaelson <[email protected]> wrote:
> wow. Firstly, I thought canonicalization was a given: we have > definitions of canonical zone order for other reasons (NSEC*) don't > we? NSEC is concerned with the ordering of owner names. RRSIG is concerned with the ordering of individual RRs in an RRSet. Unsigned RRSets (e.g. glue, NS RRSets above a zone cut) are unordered. You could apply the same rules (RFC4034 section 6.3) to sort them into canonical order, but I think you could also not do that and still have a compliant implementation of DNSSEC. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
