[bind10-dev] why refusing RRSIG query? (Re: [svn] commit: r1289 - /trunk/src/lib/auth/data_source.cc)
Evan Hunt
each at isc.org
Sun Mar 14 19:57:22 UTC 2010
> > Refuse queries for RRSIG
>
> What's the justification for this behavior? My understanding is that
> even though the usage might be moot it's not prohibited.
It didn't fit properly with the current design of the SQL data source.
For normal queries, the SQL data source does a select to fetch the data you
requested and the associated signatures for the data, and assembles RRsets
containing the data and pointing to the RRSIGs. But if you ask it
specifically for RRSIGs, it will try to find some data to attach them
to, and bad behavior ensues.
I decided that for Y1, it would be a better use of my time to refuse
RRSIG queries and move on, rather than add special-case code to allow
them.
Actually, I'm not entirely sure we'll want to fix it in Y2. I don't think
the RFC requires an auth server to answer RRSIG queries--though BIND 9
does. They aren't a very good idea though.
eh
More information about the bind10-dev
mailing list