On Fri, 13 Aug 2021, Ben Schwartz wrote:
I think we can summarize the recent DS-glue-signing drafts as follows:
* draft-fujiwara-dnsop-delegation-information-signer: One new DS holding a
hash of all the glue records.
* draft-dickson-dnsop-ds-hack: Each new DS holds the hash of one glue RRSet
* draft-schwartz-ds-glue: Each new DS holds one glue record verbatim
Thanks, this is very useful.
FWIW,
https://datatracker.ietf.org/doc/html/draft-schwartz-ds-glue-01#section-3.2 says
Source Records reconstructed from DSGLUE SHOULD be processed exactly
like ordinary unauthenticated glue records. For example, they MAY be
cached for use in future delegations but MUST NOT be returned in any
responses (c.f. Section 5.4.1 of [RFC2181]).
I get that, but it still seems odd to have signed-but-not-authoritative in
between unsigned and signed. If you're not supposed to treat them as any
more credible than unsigned glue, what's the point of signing them?
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
