My understanding is that the "extra" stuff wouldn't have any signature at all.
Wouldn't that break DNSSEC if the rest of the response had signatures? Or does
the DNSSEC-validation algorithm support "hybrid" responses like that?
- Kevin
-----Original Message-----
From: Tony Finch [mailto:d...@dotat.at]
Sent: Thursday, June 16, 2016 7:09 AM
To: Darcy Kevin (FCA)
Cc: bind-users@lists.isc.org
Subject: RE: Append a Hard-coded Text Tuple into Additional Section of "dig"
Feature
Darcy Kevin (FCA) <kevin.da...@fcagroup.com> wrote:
>
> It'll also, irrespective of caching, break DNSSEC.
No, extra stuff in the additional section should not break DNSSEC because the
signatures are per-RRset not per-message.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Tyne, West Dogger: Variable 3 or 4, becoming northerly or northwesterly 5 or 6.
Slight becoming moderate. Rain or showers, fog patches. Moderate or good,
occasionally very poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
