This is a discussion on Re: DNSSECbis clarifications: QTYPE ANY & "DNSSEC RRSets" - DNS ; Peter Koch wrote: > during a discussion at a different venue the question arose whether or not > the "DNSSEC RRs" should be included in a response to an ANY query with DO=0. My take is that they should be ...
Peter Koch wrote:
> during a discussion at a different venue the question arose whether or not
> the "DNSSEC RRs" should be included in a response to an ANY query with DO=0.
My take is that they should be included.
> If the DO bit in an initiating query is not set, the name server side
> MUST strip any authenticating DNSSEC RRs from the response but MUST
> NOT strip any DNSSEC RR types that the initiating query explicitly
> The important part is the last full sentence.
IMO, an ANY query should be considered "explicitly requesting" all
records at the query name. Also, these DNSSEC RRs are not
"authenticating" DNSSEC RRs in the sense that they do not authenticate
the response, but are simply part of the unauthenticated response data
comprising the complete set of records at the query name.
> Also: the DO bit was introduced to protect "innocent" resolvers from
> DNSSEC RRs they might not expect or understand.
As Mark said, a client sending an ANY query must expect to receive
records of arbitrary types in the answer section even without DNSSEC.
Andreas Gustafsson, email@example.com
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.