At 10:17 +1100 10/19/12, Mark Andrews wrote:
There is nothing wrong with the signature remaining. Authoratitive servers are supposed to ignore them when generating responses to QUERIES other than AXFR/IXFR the same as they ignore all other types other than A and AAAA.
There's the principle of "be liberal in what you accept and conservative in what you send", which that tack violates. By including the extraneous signatures you aren't being conservative.
My expectation of a DNSSEC signer is that it would produce a properly signed zone. If a signer tool included signatures for which it is not authorized to make, even if they were just leftovers, I'd report a bug because that would not meet expectations.
What happens when a validator sees a non-authorized signature on data? What happens when a validator sees that on glue? There's no specific defined behavior there, so I would assert that the signer ought to be conservative.
But - that is just an opinion of mine. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 2012...time to reuse those 1984 calendars! _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop