Re: [dnsext] Possible DNSSECbis clarifications

"Marc Lampo" <> Mon, 28 March 2011 09:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BE0393A690A for <>; Mon, 28 Mar 2011 02:11:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.15
X-Spam-Status: No, score=-1.15 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MSGID_MULTIPLE_AT=1.449]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FUmft7c5o9tS for <>; Mon, 28 Mar 2011 02:11:34 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 497603A683D for <>; Mon, 28 Mar 2011 02:11:32 -0700 (PDT)
X-ASG-Debug-ID: 1301303583-46c953290001-uIE7UK
Received: from ( []) by with ESMTP id jZHwciYOTHwPyo2z; Mon, 28 Mar 2011 11:13:03 +0200 (CEST)
X-ASG-Whitelist: Client
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id C8150E407A; Mon, 28 Mar 2011 11:07:41 +0200 (CEST)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1GyowWM3WRoS; Mon, 28 Mar 2011 11:07:41 +0200 (CEST)
Received: from ( []) by (Postfix) with ESMTP id B53BFE4050; Mon, 28 Mar 2011 11:07:41 +0200 (CEST)
From: Marc Lampo <>
To: 'Olafur Gudmundsson' <>,
References: <>
In-Reply-To: <>
Date: Mon, 28 Mar 2011 11:07:41 +0200
X-ASG-Orig-Subj: RE: [dnsext] Possible DNSSECbis clarifications
Message-ID: <00a701cbed28$64d1b1d0$2e751570$@lampo>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraConnectorForOutlook/5.0.3064.18)
Thread-Index: AcvtH9X7xkzgbJN5S2CDk9IFp0cCAAAB5daw
Content-Language: en-za
X-Originating-IP: []
X-Barracuda-Start-Time: 1301303583
X-Virus-Scanned: by bsmtpd at
Subject: Re: [dnsext] Possible DNSSECbis clarifications
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Mar 2011 09:11:36 -0000


Only a feedback on Q2) # times the RRSIG(SOA) should appear in zone

I think "b) both times".
While the second SOA might serve as an indicator of "end of zone
it also indicates that the transferred zone was not changed (at sender
during the time it took to send the zone file.
Because, if it did change (at sender side) the serial number in the final
SOA would change.
Consequently, since there is a possibility that the second SOA might be
different from the first SOA,
it's RRSIG will be different as well : so, each SOA should be accompanied
by its (own) RRSIG.

Perhaps this brings an additional challenge :
 ? how to link a RRSIG(SOA) with the proper SOA record ?
   --> make it mandatory to have the RRSIG(SOA) immediately follow the SOA
record it signs ?

Kind regards,

Marc Lampo

-----Original Message-----
From: Olafur Gudmundsson [] 
Sent: 28 March 2011 10:12 AM
Subject: [dnsext] Possible DNSSECbis clarifications

Dear colleagues,

The following is a result of a side conversation on the interpretation
of RFC403x with number of DNS colleagues.
Any mistakes in the questions are mine.

The questions are:
1) What is the valid order of signed RRsets?
2) How many times SHOULD/MUST RRSIG(SOA) appear in an AXFR?
3) What RRSIG(SOA)'s MUST appear on the wire in an IXFR transaction?

Q1) A: In RFC403x there is no order requirement on an signed RRset thus 
implementations should be ready to handle any combination
Following Examples should be treated as the same RRset
	RR3		RR1		RR3

Q2) In AXFR the SOA record is used as a marker record to signal the 
beginning of a zone transfer and the end of the zone transfer.
The open question is how many times should RRSIG(SOA) appear in the
AXFR stream ?
	a) Only once
	b) Both times
	c) Does not matter both are ok.

if the answer is a) then the question is when should it appear,
	i) in the beginning after the SOA
	ii) at any time in the AXFR
	iii) just before the final one.
	iv) after the final one.

Q3) In IXFR there are multiple SOA records used as maker both on the 
overall transaction and on each delta.
The questions here are:
Which RRSIG(SOA) i.e. for each serial number, are needed ?
	a) All of them once
	b) all of them each time SOA appears
	b) only the final one, all the other ones are immaterial
	  (open question is how often and where)
	c) The first and last one and each only once,
	   the first one is needed to identify what to delete from
	   the zone, the final one is what is going to be in the
            zone after the IXFR is applied.

Is there need put this information in dnssec-bis (the answer to the AXFR 
question may update RFC5936) and in IXFR-bis document ?