My understanding is that the "extra" stuff wouldn't have any signature at all.
Wouldn't that break DNSSEC if the rest of the response had signatures? Or does
the DNSSEC-validation algorithm support "hybrid" responses like that?
- Kevin
-----Original Message-----
From: Tony Finch [mailto:[email protected]]
Sent: Thursday, June 16, 2016 7:09 AM
To: Darcy Kevin (FCA)
Cc: [email protected]
Subject: RE: Append a Hard-coded Text Tuple into Additional Section of "dig"
Feature
Darcy Kevin (FCA) <[email protected]> wrote:
>
> It'll also, irrespective of caching, break DNSSEC.
No, extra stuff in the additional section should not break DNSSEC because the
signatures are per-RRset not per-message.
Tony.
--
f.anthony.n.finch <[email protected]> http://dotat.at/ - I xn--zr8h punycode
Tyne, West Dogger: Variable 3 or 4, becoming northerly or northwesterly 5 or 6.
Slight becoming moderate. Rain or showers, fog patches. Moderate or good,
occasionally very poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
