[dns-operations] signing a zone with NSEC3 records.

David Conrad drc at virtualized.org
Sat Sep 12 12:37:00 UTC 2009


George,

On Sep 12, 2009, at 12:56 AM, George Barwood wrote:
> http://tools.ietf.org/html/rfc3225
>
> says
>
> " Security records that
>   match an explicit SIG, KEY, NXT, or ANY query, or are part of the
>   zone data for an AXFR or IXFR query, are included whether or not the
>   DO bit was set."
>
> which I regard as a bad idea ( since ANY is not really explicit ).

Been through this many times.  The decision made when RFC 3225 was  
being discussed so long ago was that ANY actually mean "any".  If ANY  
were to mean "any except some unless there is some other indication  
that it really, really means any", then you'd get into a position of  
having to explicitly state whether RRs should be returned in ANY  
queries as they were defined.

ANY for any reason other than debugging is just a bad idea.  As such,  
the decision was made to treat ANY as an explicit request for DNSSEC- 
related RRs if they exist.

Regards,
-drc




More information about the dns-operations mailing list