> On 9 Jul 2018, at 11:27 am, Joe Abley <[email protected]> wrote:
>
> On Jul 9, 2018, at 02:02, George Michaelson <[email protected]> wrote:
>
>> wow. Firstly, I thought canonicalization was a given: we have
>> definitions of canonical zone order for other reasons (NSEC*) don't
>> we?
>
> NSEC is concerned with the ordering of owner names.
>
> RRSIG is concerned with the ordering of individual RRs in an RRSet.
>
> Unsigned RRSets (e.g. glue, NS RRSets above a zone cut) are unordered.
> You could apply the same rules (RFC4034 section 6.3) to sort them into
> canonical order, but I think you could also not do that and still have
> a compliant implementation of DNSSEC.
You need to sort them or you need to provide a mechanism that preserves the
existing order.
I actually think we could design a system that works for in-band and dynamic
update. Add a XSIG (record where the XSIG is RRSIG(hash(NS and other records
in the zone up to the next secure delegation in DNSSEC)). For NSEC this
becomes the NS records and glue below the NS. This is incrementally
generatable.
Mark
> Joe
>
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dnsop
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
