Re: [dnsext] Possible DNSSECbis clarifications

Joe Abley <> Mon, 28 March 2011 15:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9FA1D3A684A for <>; Mon, 28 Mar 2011 08:19:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LYXTtCi6IEEo for <>; Mon, 28 Mar 2011 08:19:08 -0700 (PDT)
Received: from ( [IPv6:2001:4900:1:392:213:20ff:fe1b:3bfe]) by (Postfix) with ESMTP id B67BD3A67D6 for <>; Mon, 28 Mar 2011 08:19:08 -0700 (PDT)
Received: from [2001:df8:0:16:5a55:caff:feec:96bf] by with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <>) id 1Q4EFI-000Mhq-6N; Mon, 28 Mar 2011 15:20:45 +0000
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Joe Abley <>
In-Reply-To: <01a901cbed53$e744b7e0$b5ce27a0$>
Date: Mon, 28 Mar 2011 17:20:38 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <00a701cbed28$64d1b1d0$2e751570$> <> <018401cbed48$0b8a6ac0$229f4040$> <> <01a901cbed53$e744b7e0$b5ce27a0$>
To: Marc Lampo <>
X-Mailer: Apple Mail (2.1084)
X-SA-Exim-Connect-IP: 2001:df8:0:16:5a55:caff:feec:96bf
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Cc:, 'Olafur Gudmundsson' <>
Subject: Re: [dnsext] Possible DNSSECbis clarifications
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Mar 2011 15:19:09 -0000

On 2011-03-28, at 16:19, Marc Lampo wrote:

> But then, how to link a RRSIG(SOA) with *its* SOA ?

If there are multiple, different SOAs found in an AXFR response then you throw that response away. RFC 1034 seems fairly clear on that.

  When the poll shows that the zone has changed, then the secondary server
  must request a zone transfer via an AXFR request for the zone.  The AXFR
  may cause an error, such as refused, but normally is answered by a
  sequence of response messages.  The first and last messages must contain
  the data for the top authoritative node of the zone.  Intermediate
  messages carry all of the other RRs from the zone, including both
  authoritative and non-authoritative RRs.  The stream of messages allows
  the secondary to construct a copy of the zone.  Because accuracy is
  essential, TCP or some other reliable protocol must be used for AXFR

> Or simply : "try" all available RRSIG(SOA)'s, if at least one validates
> the SOA being looked at, then accept it.

Zero or one RRSIG RRSets over the SOA, one SOA RR and one identical copy of the same SOA record. I don't see a validation problem.