On Fri, Oct 9, 2015 at 10:54 AM, Paul Wouters <p...@nohats.ca> wrote:
> On Fri, 9 Oct 2015, Joe Abley wrote: > > In a fit of zeal I wrote up what I thought was a reasonable clarification >> to 1034/1035 with respect to the ordering of RRSets within sections of a >> response to a DNS QUERY, prompted by the discussions on this list in >> August, to which maybe this link is a useful pointer: >> > > Mark and Paul gave me some opinions as I was writing this up, that I may >> or may not have represented accurately in the text. I think the advice is >> reasonable, but thoughts from the throng as to (a) whether this was worth >> writing down and (b) whether what I wrote is nonsense would be appreciated. >> > > I find it strange that you suggest ordering matters for the Answer > section but not the Authoritative section. It seems that we will just > get more assumptions from code that order matters there too, and 10 > years from now we are writting this document again, but for the > Authoritative section. > > Paul > > It already seems to matter for some implementations. My colleague, Casey Deccio, has uncovered a case where a certain resolver implementation fails to authenticate negative responses when NSEC/NSEC3 signatures appear before the data records in the authority section of responses from an upstream forwarder. I hope he'll elaborate on more specific details. (Not implying we should sanction this behavior; just reporting what's been observed in the field). Shumon Huque.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
