On Wed, Feb 11, 2015 at 06:19:16PM -0500, John wrote:
> Just curious, you put the actual TLSA record first and then the
> CNAMEs. Any particular reason for the order?
Clarity of exposition. You're outsourcing thinking about this to
the list.
* A DNS zone is a key-value database:
(owner-name, class, type) => RRset
* As with any key-value database the relative order
of keys cannot be significant.
* Even the relative order of RRs within an RRset is not significant
for DNSSEC purposes, as the RRset signature is calculated over
the canonical ordering. So RRsets in which the order matters
cannot rely on DNSSEC to protect that order.
--
Viktor.
