Colleagues,

during a discussion at a different venue the question arose whether or not
the "DNSSEC RRs" should be included in a response to an ANY query with DO=0.

pro:

section 3 of RFC 4035 (top of page 9) says:

A security-aware name server that receives a DNS query that does not
include the EDNS OPT pseudo-RR or that has the DO bit clear MUST
treat the RRSIG, DNSKEY, and NSEC RRs as it would any other RRset and
MUST NOT perform any of the additional processing described below.

"treat ... as it would any other RRset" would support ANY covering those,
which is consistent with RFC 3225 (which explicitly listed ANY).

Also, this would be consistent with RFC 3597, not requiring special
handling for "unknown" types.

con:

RFC 4035, 3.2 says:

3.2.1. The DO Bit

The resolver side of a security-aware recursive name server MUST set
the DO bit when sending requests, regardless of the state of the DO
bit in the initiating request received by the name server side. If
the DO bit in an initiating query is not set, the name server side
MUST strip any authenticating DNSSEC RRs from the response but MUST
NOT strip any DNSSEC RR types that the initiating query explicitly
requested.

The important part is the last full sentence.

Also: the DO bit was introduced to protect "innocent" resolvers from
DNSSEC RRs they might not expect or understand.

Opinions?

-Peter

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: