Re: [dnsext] duplicate RRs and resulting RRSIG
"Marco Davids (SIDN)" <marco.davids@sidn.nl> Fri, 06 January 2012 08:05 UTC
Return-Path: <Marco.Davids@sidn.nl>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD5721F869E for <dnsext@ietfa.amsl.com>; Fri, 6 Jan 2012 00:05:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.504
X-Spam-Level:
X-Spam-Status: No, score=-4.504 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fnjdMn6lEbdG for <dnsext@ietfa.amsl.com>; Fri, 6 Jan 2012 00:05:07 -0800 (PST)
Received: from ede1-kamx.sidn.nl (kamx.sidn.nl [94.198.152.69]) by ietfa.amsl.com (Postfix) with ESMTP id 346C721F8684 for <dnsext@ietf.org>; Fri, 6 Jan 2012 00:05:03 -0800 (PST)
Received: from kahubcas1.SIDN.local ([192.168.2.41]) by ede1-kamx.sidn.nl with ESMTP id q06851HH028481 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=CAFAIL) for <dnsext@ietf.org>; Fri, 6 Jan 2012 09:05:01 +0100
Received: from [192.168.129.3] (192.168.129.3) by KAHUBCAS1.SIDN.local (192.168.2.41) with Microsoft SMTP Server id 14.1.323.3; Fri, 6 Jan 2012 09:04:52 +0100
Message-ID: <4F06AB2C.9040408@sidn.nl>
Date: Fri, 06 Jan 2012 09:05:00 +0100
From: "Marco Davids (SIDN)" <marco.davids@sidn.nl>
Organization: SIDN
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111108 Lightning/1.0b2 Thunderbird/3.1.16
MIME-Version: 1.0
To: dnsext@ietf.org
References: <CA+wr5LX8DbiGZnxEtQxRMsiW3Y+RnVHMZsBnuge=783BTL5PiQ@mail.gmail.com>
In-Reply-To: <CA+wr5LX8DbiGZnxEtQxRMsiW3Y+RnVHMZsBnuge=783BTL5PiQ@mail.gmail.com>
X-Enigmail-Version: 1.1.2
OpenPGP: id=A99B8609
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [192.168.129.3]
Subject: Re: [dnsext] duplicate RRs and resulting RRSIG
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2012 08:05:08 -0000
Hi Bert, On 01/04/12 21:26, bert hubert wrote: > RFC 2181, section 5, says that servers should (lower case) 'suppress' > duplicate RRSIGs, which would argue that at least PowerDNS is > partially to blame, and should've dropped the duplicate record. > However, the outer server I think should also not feel free to drop > records on an DNSSEC signed zone. What about RFC4034, section 6.3: "if an implementation detects duplicate RRs when putting the RRset in canonical form, it MUST treat this as a protocol error. If the implementation chooses to handle this protocol error in the spirit of the robustness principle (being liberal in what it accepts), it MUST remove all but one of the duplicate RR(s) for the purposes of calculating the canonical form of the RRset." -- Marco
- [dnsext] duplicate RRs and resulting RRSIG bert hubert
- Re: [dnsext] duplicate RRs and resulting RRSIG Mohan Parthasarathy
- Re: [dnsext] duplicate RRs and resulting RRSIG bmanning
- Re: [dnsext] duplicate RRs and resulting RRSIG bert hubert
- Re: [dnsext] duplicate RRs and resulting RRSIG Doug Barton
- Re: [dnsext] duplicate RRs and resulting RRSIG SM
- Re: [dnsext] duplicate RRs and resulting RRSIG Marco Davids (SIDN)
- Re: [dnsext] duplicate RRs and resulting RRSIG Tony Finch
- Re: [dnsext] duplicate RRs and resulting RRSIG Tony Finch