Re: [dnsext] Possible DNSSECbis clarifications

"George Barwood" <> Mon, 28 March 2011 08:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 965AF3A696A for <>; Mon, 28 Mar 2011 01:57:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.01
X-Spam-Status: No, score=0.01 tagged_above=-999 required=5 tests=[AWL=0.856, BAYES_00=-2.599, MIME_BASE64_TEXT=1.753]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2zTo1QuYZUXz for <>; Mon, 28 Mar 2011 01:57:38 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4B2533A695A for <>; Mon, 28 Mar 2011 01:57:37 -0700 (PDT)
Received: from ([]) by (InterMail vM. 201-2186-134-20080326) with ESMTP id <>; Mon, 28 Mar 2011 09:59:07 +0100
Received: from [] (helo=GeorgeLaptop) by with smtp (Exim 4.63) (envelope-from <>) id 1Q48Hz-0000kV-FB; Mon, 28 Mar 2011 09:59:07 +0100
Message-ID: <A496654AFE2E4E04922966B61D46D0F1@local>
From: George Barwood <>
To: Olafur Gudmundsson <>,
References: <>
Date: Mon, 28 Mar 2011 09:59:06 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-Cloudmark-Analysis: v=1.1 cv=JvdXmxIgLJv2/GthKqHpGJEEHukvLcvELVXUanXFreg= c=1 sm=0 a=F1NOll8JUcwA:10 a=8nJEP1OIZ-IA:10 a=5DHTYsOjAAAA:8 a=48vgC7mUAAAA:8 a=Tcq4zHyceHOgtvVFY6sA:9 a=mhyPiA7n3xpxJavXUenra3Om-tYA:4 a=wPNLvfGTeEIA:10 a=8ie3zQVgER4A:10 a=lZB815dzVvQA:10 a=vghTk32N3AhTqR0a:21 a=aukgVSn-w9ynva9d:21 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117
Subject: Re: [dnsext] Possible DNSSECbis clarifications
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Mar 2011 08:57:39 -0000

My understanding on these questions...

----- Original Message ----- 
From: "Olafur Gudmundsson" <>
To: <>
Sent: Monday, March 28, 2011 9:12 AM
Subject: [dnsext] Possible DNSSECbis clarifications

> Dear colleagues,
> The following is a result of a side conversation on the interpretation
> of RFC403x with number of DNS colleagues.
> Any mistakes in the questions are mine.
> The questions are:
> 1) What is the valid order of signed RRsets?
> 2) How many times SHOULD/MUST RRSIG(SOA) appear in an AXFR?
> 3) What RRSIG(SOA)'s MUST appear on the wire in an IXFR transaction?
> Q1) A: In RFC403x there is no order requirement on an signed RRset thus 
> implementations should be ready to handle any combination
> Following Examples should be treated as the same RRset
> RR3 RR1 RR3

Agreed. Within a section, records may be in any order.
The normal aproach is to have RRSIGs immediately follow that records that
they sign, but this is not required by the standard.

> Q2) In AXFR the SOA record is used as a marker record to signal the 
> beginning of a zone transfer and the end of the zone transfer.
> The open question is how many times should RRSIG(SOA) appear in the
> AXFR stream ?
> a) Only once
> b) Both times
> c) Does not matter both are ok.
> if the answer is a) then the question is when should it appear,
> i) in the beginning after the SOA
> ii) at any time in the AXFR
> iii) just before the final one.
> iv) after the final one.

RRSIG(SOA) records should be anywhere after initial SOA and before the final SOA record.
> Q3) In IXFR there are multiple SOA records used as maker both on the 
> overall transaction and on each delta.
> The questions here are:
> Which RRSIG(SOA) i.e. for each serial number, are needed ?
> a) All of them once
> b) all of them each time SOA appears
> b) only the final one, all the other ones are immaterial
>   (open question is how often and where)
> c) The first and last one and each only once,
>    the first one is needed to identify what to delete from
>    the zone, the final one is what is going to be in the
>            zone after the IXFR is applied.

I'm not familiar with IXFR, so no opinion on this one.

> Is there need put this information in dnssec-bis (the answer to the AXFR 
> question may update RFC5936) and in IXFR-bis document ?
> Olafur
> _______________________________________________
> dnsext mailing list