In message , Tony Finch
writes:
> I think I have spotted a lacuna or possibly erratum in RFC 7344.
>
> In section 4.1 bullet 2 it says:
>
>o Signer: MUST be signed with a key that is represented in both the
> current DNSKEY and
Another one:
It isn't clear to me if the preamble paragraphs in RFC 7344 section 4 are
supposed to describe requirements on the publisher or the processor or
both.
In particular, is the parental agent supposed to check this? -
If the Child
I think I have spotted a lacuna or possibly erratum in RFC 7344.
In section 4.1 bullet 2 it says:
o Signer: MUST be signed with a key that is represented in both the
current DNSKEY and DS RRsets, unless [unusual case]
This allows a setup where
* the DNSKEY RRset contains a ZSK and a
Hi Shane,
On Jul 29, 2017, at 09:05, Shane Kerr wrote:
> I guess that I understand your concern, but we don't have any way to
> authenticate servers in DNS today and we already send error messages back.
>
> I'm happy with error codes that are informational, but
+1 (in favor)
francis.dup...@fdupont.fr
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
神明達哉 wrote:
>
> - One possible idea of another extended error code: one that indicates
> a type-ANY query is responded with just one type of RRset when there
> can be more.
Note that it is almost always the case that ANY answers from
non-authoritative servers are a subset
I guess that I understand your concern, but we don't have any way to
authenticate servers in DNS today and we already send error messages back.
I'm happy with error codes that are informational, but don't change client
behavior. Yes, I realize that users may be tricked, but that's also the
This starts a Call for Adoption for draft-wkumari-dnsop-extended-error
I have reviewed the draft, and while I think it could be useful, I'm
seriously worried about sending unauthenticated errors back to the user,
and fear that software will start using these without first validating
the