Paul Vixie wrote:

> # > dnssec only signs authority data. glue is (by definition) not authority
> # > data.
> #
> # not authority data for the zone in question. it is authority
> # data for some part of the heirarchy tho...
>
> in principle, then, a referring server could fetch, validate, and transmit
> the covering RRSIGs for any out-of-bailiwick glue it wants to hand out?


The solution, as I said 10(?) years ago, is to add tags to
glues in cache.

Glues in cache should be tagged with parent zones of the referral
points (though it is better to tag with referred zones, it involves
modification to zone file format, XFER protocols etc.).

The cached glues should not be used to answer normal reply.

Cached glues should be used for cached referral if tags match
the referring zones.

There is nothing DNSSEC specific.

Masataka Ohta



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: