BIND 10 #2165: update Message::addRRset() to be unaware of signedness

BIND 10 Development do-not-reply at isc.org
Mon Aug 27 17:43:58 UTC 2012 

#2165: update Message::addRRset() to be unaware of signedness
-------------------------------------+-------------------------------------
                   Reporter:         |                 Owner:  muks
  jinmei                             |                Status:  reviewing
                       Type:  task   |             Milestone:
                   Priority:         |  Sprint-20120904
  medium                             |            Resolution:
                  Component:         |             Sensitive:  0
  libdns++                           |           Sub-Project:  DNS
                   Keywords:         |  Estimated Difficulty:  5
            Defect Severity:  N/A    |           Total Hours:  0
Feature Depending on Ticket:         |
  scalable inmemory                  |
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------

Comment (by jinmei):

 Replying to [comment:13 vorner]:

 Just happened to notice this:

 > Commit `3c20e037be36b32640289bb61f45d555649bad12`, right? Well, I'm
 little bit worried about one thing there. What happens if someone sends a
 query asking directly for RRSIG type without dnssec enabled? And,
 actually, that query makes sense ‒ I think unbound uses that trick to
 tunnel DNSSEC data if there's something not liking EDNS or a non-DNSSEC-
 aware cache in between.

 I didn't follow the context of this point, but regarding direct RRSIG
 queries: my understanding is that it's a kind of spec hole what an
 authoritative server should do for such queries.  I vaguely recall a
 discussion at the IETF on this point - (IIRC) some said RRSIGs are
 only meaningful with records they are signed for (and it's legitimate
 for auth servers to not return the RRSIGs (and RRSIGs only) for such
 queries); some said RRSIGs are just one type of RRs in one sense and
 shouldn't be treated differently when explicitly asked.  I don't know
 if there was a consensus about this.

 In any case, our current implementation doesn't return RRSIGs to
 direct RRSIGs queries anyway (try dig @ns.jinmei.org jinmei.org
 rrsig).  We can discuss if we want to change that (maybe a tomorrow's
 topic?), but I think it's outside the scope of this ticket.

-- 
Ticket URL: <http://bind10.isc.org/ticket/2165#comment:14>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list