On Tue, 6 Feb 2018, Tero Kivinen wrote:
It was actually a mistake (partially induced by my memory of rfc-8078
work and its errata). Those fields are all fixed length. Only the digest
itself is variable length, and as per 8078 errata, the shortest
representation would be "00", so two octets.
That does not match the section 3.
I.e., in section 3 you have examples and text saying that initiator
will send empty INTERNAL_DNSSEC_TA attribute in CFG_REQUEST:
but this is not possible with current definition of the section 4.2,
where the DNSKEY Key Tag etc fields are mandatory. Thats why my
proposal was to make whole DNSSEC Trust Anchor Data optional.
Riiight...I forgot about the CFG_REQUEST item.
Ok, I will change it and list both versions in separate packet diagrams.
I've submitted -05. My only question now is what to do with the
length field of both records. It now says "2 octects, unsigned integer"
but perhaps it should say "2 octets in network order" ?
In RFC7296 we have:
All multi-octet fields representing integers are laid out in big
endian order (also known as "most significant byte first", or
"network byte order").
which covers everything. You could add similar text here...
Thanks, will do.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
