Re: [dnsext] Possible DNSSECbis clarifications

Mark Andrews <> Mon, 28 March 2011 09:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 753093A68B0 for <>; Mon, 28 Mar 2011 02:27:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iH2h1nD6Hmkx for <>; Mon, 28 Mar 2011 02:27:16 -0700 (PDT)
Received: from ( [IPv6:2001:4f8:0:2::2b]) by (Postfix) with ESMTP id 185F73A686C for <>; Mon, 28 Mar 2011 02:27:16 -0700 (PDT)
Received: from ( [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "", Issuer "ISC CA" (verified OK)) by (Postfix) with ESMTPS id 4A51BC9423; Mon, 28 Mar 2011 09:28:49 +0000 (UTC) (envelope-from
Received: from (unknown [IPv6:2001:df8:0:96:6233:4bff:fe01:7585]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id CA9ED216C22; Mon, 28 Mar 2011 09:28:48 +0000 (UTC) (envelope-from
Received: from (localhost []) by (Postfix) with ESMTP id 02E5BD97013; Mon, 28 Mar 2011 20:28:46 +1100 (EST)
To: Olafur Gudmundsson <>
From: Mark Andrews <>
References: <>
In-reply-to: Your message of "Mon, 28 Mar 2011 04:12:10 EDT." <>
Date: Mon, 28 Mar 2011 20:28:46 +1100
Message-Id: <>
Subject: Re: [dnsext] Possible DNSSECbis clarifications
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Mar 2011 09:27:17 -0000

In message <>, Olafur Gudmundsson writes:
> Dear colleagues,
> The following is a result of a side conversation on the interpretation
> of RFC403x with number of DNS colleagues.
> Any mistakes in the questions are mine.
> The questions are:
> 1) What is the valid order of signed RRsets?
> 2) How many times SHOULD/MUST RRSIG(SOA) appear in an AXFR?
> 3) What RRSIG(SOA)'s MUST appear on the wire in an IXFR transaction?
> Q1) A: In RFC403x there is no order requirement on an signed RRset thus 
> implementations should be ready to handle any combination
> Following Examples should be treated as the same RRset
> 	RR1		RR3		RRSIG2
> 	RR2		RRSIG1		RR2
> 	RR3		RR1		RR3
> Q2) In AXFR the SOA record is used as a marker record to signal the 
> beginning of a zone transfer and the end of the zone transfer.
> The open question is how many times should RRSIG(SOA) appear in the
> AXFR stream ?
> 	a) Only once
> 	b) Both times
> 	c) Does not matter both are ok.
> if the answer is a) then the question is when should it appear,
> 	i) in the beginning after the SOA
> 	ii) at any time in the AXFR
> 	iii) just before the final one.
> 	iv) after the final one.

All records with the exception of the SOA should appear once but
multiple should be handled. This is covered in AXFR clarify. The
record should be between the SOA records.  The SOA records bookend
the zone transfer.
> Q3) In IXFR there are multiple SOA records used as maker both on the 
> overall transaction and on each delta.
> The questions here are:
> Which RRSIG(SOA) i.e. for each serial number, are needed ?
> 	a) All of them once
> 	b) all of them each time SOA appears
> 	b) only the final one, all the other ones are immaterial
> 	  (open question is how often and where)
> 	c) The first and last one and each only once,
> 	   the first one is needed to identify what to delete from
> 	   the zone, the final one is what is going to be in the
>             zone after the IXFR is applied.

IXFR contains sets of deltas which consist of the *records* that
have changed in the zone.  Assuming a properly signed zone you
will have the final SOA, the starting SOA, RRSIGs of the starting SOA + any
other changes, the next (possibly final) SOA, the RRSIGs of the SOA
that apply to that and any other changes,  possibly the next delta,
.... then the final SOA.

> Is there need put this information in dnssec-bis (the answer to the AXFR 
> question may update RFC5936) and in IXFR-bis document ?

> 	Olafur
> _______________________________________________
> dnsext mailing list
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: