Another thought: responses to RRSIG queries cannot be validated. I hope resolvers don't cache them, or at least treat them with great suspicion.
Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at > On 7 Mar 2015, at 21:19, Tony Finch <fa...@cam.ac.uk> wrote: > > >> On 7 Mar 2015, at 21:04, Tony Finch <fa...@cam.ac.uk> wrote: >> >> I think Ralf is right that QTYPE=RRSIG is weird just like ANY, in that it is >> asking for (part of) all? any? RRsets at a given owner name. I wonder how >> caches handle it... > > OK, that's fun, a test demonstrated that BIND treats RRSIG queries like ANY, > i.e. you get whatever happens to be in the cache. > > Tony (ssh and dig is a bit fiddly on a phone). > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
