Re: Question about TSIG, AD/AA, and AXFR

Roy Arends <Roy.Arends@nominum.com> Tue, 17 July 2001 15:38 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Roy Arends <Roy.Arends@nominum.com>
To: Edward Lewis <lewis@tislabs.com>
Cc: Brian Wellington <Brian.Wellington@nominum.com>, namedroppers@ops.ietf.org
Subject: Re: Question about TSIG, AD/AA, and AXFR
In-Reply-To: <E15MVFG-000Hzo-00@psg.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Message-Id: <E15MWYJ-000KpX-00@psg.com>
Date: Tue, 17 Jul 2001 08:14:23 -0700
Content-Transfer-Encoding: 7bit

On Tue, 17 Jul 2001, Edward Lewis wrote:

> (Perhaps we should recommend that TSIG queries be issued with the
> DNSSEC indication off.)

I think this is not a good idea.

Since TSIG is server authentication (origin), DNSSEC is zone
authentication (content) we could have the following situation:

Say there is some application that wants to verify signatures itself (SSH
KEY + SIG(KEY)), using the stub-resolver for queries, which is configured
to TSIG all data from the caching forwarder. No DNSSEC response will then
be received at the stub since the stub uses TSIG and the DO bit unset in
your scenario.

Roy Arends
Nominum

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Re: Question about TSIG, AD/AA, and AXFR Brian Wellington
Re: Question about TSIG, AD/AA, and AXFR Jakob Schlyter
Re: Question about TSIG, AD/AA, and AXFR Edward Lewis
Re: Question about TSIG, AD/AA, and AXFR Robert Elz
Re: Question about TSIG, AD/AA, and AXFR Roy Arends
Re: Question about TSIG, AD/AA, and AXFR Roy Arends