I am going to assume that the DNSKEY of this zone is not a trust anchor.
So it is going to use the DS RRset, not a cached DNSKEY RRset, to
authenticate the child zone's apex DNSKEY RRset (the one from the
response). Then from RFC 4035:
o The matching DNSKEY RR in the child zone has the
Alexander Mayrhofer writes:
> thanks for putting together draft-ietf-dnsop-nsec3-guidance. I have
> one small comment regarding section 2.2 (Flags):
After reading the conversation, I think the easiest thing to do is add
this:
or when using memory-constrained hardware.
To the end of the
On Fri, 24 Sep 2021, Matthijs Mekking wrote:
Second, I believe the corner case you mentioned is for Figure 15 (the one in
Appendix D), and I don't understand the scenario you are describing. What do
you mean with "the resolver getting the DNKSEY RRset for NS_B would not
contain a valid key
Paul,
On 23-09-2021 15:52, Paul Wouters wrote:
On Thu, 23 Sep 2021, Matthijs Mekking wrote:
You are referring to text that describes Figure 10.
The following text in Section 4.3.5.1 refers to the figure in Appendix D:
The requirement to exchange signatures has a couple of drawbacks. It