> # Also: the DO bit was introduced to protect "innocent" resolvers from
> # DNSSEC RRs they might not expect or understand.
> #
> # Opinions?
>
> i think a security aware server should elide dnssec metadata unless DO is set
> ,
> whereas we already know that a security-nonaware server will not do this and
> will never do this.
>
> we can hope that a security non-aware server will never see dnssec metadata
> but we know this isn't true either.
>
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive:


I'd expect to see the records in the answer section as a
client making a * query is expecting to see records it
cannot decode. A RFC 1035 client cannot decode a RP record
but no one here would say don't sent the RP.

I would not expect to see the DNSSEC records in the additional
and authority sections.

Asking * to a parent server with a signed parent zone of a
signed child zone gets more interesting. DS, NSEC and RRSIG
should be in the answer section. There should be a referral
containing the NS records. Again there would be not DNSSEC
records in the authority or additional sections.

Mark

;; Truncated, retrying in TCP mode.

; <<>> DiG 9.3.2 <<>> dv.isc.org any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37013
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 7

;; QUESTION SECTION:
;dv.isc.org. IN ANY

;; ANSWER SECTION:
dv.isc.org. 3600 IN SOA bsdi.dv.isc.org. marka.isc.org. 2006021500 86400 21600 2419200 86400
dv.isc.org. 60 IN RRSIG DNSKEY 5 3 60 20060316195737 20060214195737 37083 dv.isc.org. WtxeB8M2lAkrXIpdn/X2F0d8Zlx0UOXEyBkdVN6w+mX9KhO2hWf8vZ5C JHPGFoNEXQ7NEBuVJbUcntNKWXQR7QMBTE7LV5vOcbZLoyRR4a I1vwjz mC/9X9ODdZ9UQt/kDOaqKmwtrMtepbRmkw7MXjSNbO4xhJ3AsbPOdNrj UzV0rHfR/XHe9eD+NbDPCGXYF/hSqfjDv8iFx12JLAX3u3ymZ9FYhb5v xAtQBQO1KtiH9i5mPY7AVOxhtppYY70YB5VoBNvCC1uwfmI4d2 tFnfcv mzfj1M4f1C3PqscAlsWNCWMfzezX3xW53mkpDiQHE1d3AWrH6R +S8wq/ rtgZ3Q==
dv.isc.org. 60 IN RRSIG DNSKEY 5 3 60 20060316195737 20060214195737 52595 dv.isc.org. n2Xn9e300LIJcVhXXi4ZTFEpYDZT6ZSdjQdlWwc5HBbPyRSO7t DIbP78 yayc6dKyX19Bj06k47kbdiXeaCNkEgyNhtpKHeaxCd7lCQGZLa XSAz4m 7XHneELIgylLSGNCM87AHSzRzISsVSpzlcpyDVVUz/TxdxAnHM/lHNYe 9WU=
dv.isc.org. 60 IN DNSKEY 257 3 5 AQO/WTD1QT9aOKORz8l7lcWgghCH0E+cxr3cnm7v0oLA0NLMFa1NzZ Mt PVl6AGWu+jDo0y/y37lWUiNK9FLcmxzTvm2BgWHoZ3/aQcdxkR+SDIxB Ru3HlGGZcrk80lT77OBrYjiJmImQt9cLefG0TxzwYbWEX2AwYC Mil/Gf Fia11Cu3HC2JER/Z7INIYiXgX42FWQtqYqSwl20TkH1NLGoWXDQZEcUM BG/dz+o9JTTalQkIcohhxdJ9Bd1Yceq+4hEdN25mMvL2us8nJXa8n qry TEZ2iAce2RxYjhEAuZ4Dg0u0hgCvhOkEyf/M3erv1RkdB1UPMLgh7xiY cw5K87yd
dv.isc.org. 60 IN DNSKEY 256 3 5 AQPGP80zt8pQS5xVaaaD054XBet8sCKaYZ9WrnYyuznqNXkS91 j6qqHu w7Y9kKAVsFoWfNw0CpahdIJIhUPFM1JRJtXhNy1cg9Ok3kBnN+ fwCe2L Y3qOtweFbL9bSjgolQWr42AlFOjZnJVW1cECgVBfinKHBIEIIw IdHGGu LyIQaQ==
dv.isc.org. 86400 IN RRSIG NSEC 5 3 86400 20060316195737 20060214195737 52595 dv.isc.org. SICQlRWLkkm246Hd6e1YgU5Qq32zJAtOUjWuw9wmq14Qx9FKdj YS1xHu gYZ0cNj7bgzH0zg5Ke5oJ7g+VTkbIzXVO1wLd3nBKiKmnIIuUM 97AAAd DdSrqpg8txEZr3nad8xN48hUllntPjZRM9dRuEulFcTPARUk+t 5tTwP5 kbM=
dv.isc.org. 86400 IN NSEC _kerberos.dv.isc.org. NS SOA MX RRSIG NSEC DNSKEY
dv.isc.org. 86400 IN RRSIG MX 5 3 86400 20060316195737 20060214195737 52595 dv.isc.org. logv6ZVCD/TCjSmu+UIy9Fdg/S4rtZvVtbKpJGLos8RnfONkHYH6bPbe 8u5GzTJlB+MiGw55vl9JdXslNxsOhSyal3pPg+beboWiEo7W6D 0BlDgQ VXb48fpHiislIySd/Hu+0fzh9aXWLdOVP9R/XxOiO2cFEdxFUX2jbht+ NGw=
dv.isc.org. 86400 IN MX 0 bsdi.dv.isc.org.
dv.isc.org. 86400 IN RRSIG NS 5 3 86400 20060316195737 20060214195737 52595 dv.isc.org. qdPqO3dr2oPYD+baCWbJ7oQ8WBQVfeWjPvPy08tllITBz/0q+QS4W6Ec IbrzRV77hJfu6GoAcbiG55SqScmrFJQ46VIP5x2CHOGp4gupjS aCH7e+ RZojBdHPC6OwRnePmx4/z/X2bJkPquGT9sOvIFYesPKgaTklwrxR1tMK 4cA=
dv.isc.org. 86400 IN NS drugs.dv.isc.org.
dv.isc.org. 86400 IN NS bsdi1.dv.isc.org.
dv.isc.org. 3600 IN RRSIG SOA 5 3 3600 20060316195737 20060214195737 52595 dv.isc.org. kyhBxS3oR8LApMHb/G5I7TYbRPqVaJYz2B3qcfUYo6Bpq/RKEvgtsuyJ iUboj0Fwdq7dru0EN0Go5fdrbx9ajBj6qALykH14h9jabjw1RI 7nA28I OmLBUsMELWkgUkRLBXiujN912OQYHYRiEQ7E/oC72z3lJyAOa6pPlOs9 Zuk=

;; ADDITIONAL SECTION:
bsdi.dv.isc.org. 3600 IN A 192.168.191.233
bsdi.dv.isc.org. 3600 IN A 220.237.98.197
bsdi1.dv.isc.org. 86400 IN A 192.168.191.233
drugs.dv.isc.org. 86400 IN A 192.168.191.236
bsdi.dv.isc.org. 86400 IN AAAA 2001:470:1f00:ffff::5a1
bsdi.dv.isc.org. 86400 IN AAAA 2001:470:1f00:820:2e0:29ff:fe19:c02d
drugs.dv.isc.org. 86400 IN AAAA 2001:470:1f00:820:208:74ff:fe9f:eeae

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 09:15:29 2006
;; MSG SIZE rcvd: 1890

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: