On 16 Jan 2010, at 11:17, George Barwood wrote:
To correct my statement, the following query shows that glue records
may be signed
dig soa se @a.ns.se + dnssec
No it doesn't. The name servers for .se are authoritative for the
address records for *.ns.se. And ns.se isn't delegated either. The A
and AAAA records for *.ns.se in this response are not glue. They would
be glue if they were in a referral response from a server for .se's
parent.
The question then is "is the additional RRSIG data useful" ?
My answer is "probably not".
So authoritative servers shouldn't volunteer helpful/relevant data in
the Additional Section of a response, should they? If the server's got
additional data that might benefit the client -- like an A or AAAA
record for a hostname in the RDATA of an answer -- it makes sense for
the server to include it provided there's room for that data in the
response. That also applies to any RRSIG(s) over that additional data,
assuming of course the client had set the DO bit.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop