[dns-operations] signing a zone with NSEC3 records.
David Conrad
drc at virtualized.org
Sat Sep 12 12:37:00 UTC 2009
George,
On Sep 12, 2009, at 12:56 AM, George Barwood wrote:
> http://tools.ietf.org/html/rfc3225
>
> says
>
> " Security records that
> match an explicit SIG, KEY, NXT, or ANY query, or are part of the
> zone data for an AXFR or IXFR query, are included whether or not the
> DO bit was set."
>
> which I regard as a bad idea ( since ANY is not really explicit ).
Been through this many times. The decision made when RFC 3225 was
being discussed so long ago was that ANY actually mean "any". If ANY
were to mean "any except some unless there is some other indication
that it really, really means any", then you'd get into a position of
having to explicitly state whether RRs should be returned in ANY
queries as they were defined.
ANY for any reason other than debugging is just a bad idea. As such,
the decision was made to treat ANY as an explicit request for DNSSEC-
related RRs if they exist.
Regards,
-drc
More information about the dns-operations
mailing list