On Thu, Nov 1, 2018 at 11:52 AM Joe Abley <jab...@hopcount.ca> wrote:
> On 1 Nov 2018, at 14:49, Brian Dickson <brian.peter.dick...@gmail.com> > wrote: > > > So, giving this some tiny bit of thought: > > When is zonemd added to a response, is that when doing an AXFR? > > Construction of ZONEMD RRs and responding to AXFR are orthogonal. > > Right, I just realized that... I was thinking of generation of all ZONEMD RRs, but only returning a subset. However, since ZONEMD RRs are DNSSEC-signed, the signature process requires all the RRs to be included in the signature for the signature to validate. Which means you always have to provide all of the ZONEMD records, if the ZONEMD records are signed with the current DNSSEC method. > > Maybe signaling the algorithm(s) for which signature(s) are > desired/understood would do the trick? > > I.e. in an EDNS option? > > I don't think so. EDNS options relate to servers exchanging DNS messages. > ZONEMD relates to zones. > Hmmm... so at best it would be a one-way signal from the client to the server, about what they support (and optionally prefer). The server has to send all the ZONEMD records regardless. Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
