Re: Question about TSIG, AD/AA, and AXFR

[Jakob Schlyter <jakob@crt.se>]

On Tue, 17 Jul 2001, Edward Lewis wrote:

> >authorative. I belive this is wrong - data shouldn't be checked on load,
> >it should be checked on query.
>
> What are the chances that this will happen, I mean software development
> wise?  It does make more sense to check on query for two reasons - the SIG
> validity is more timely and the need to get other data (the key chain)
> shouldn't slow the loading process.

not only does it make more sense to check on query, you will lie if you
don't (or at least, possibly lie).

bind9 has fixed this (it doesn't check on load anymore) but currently
doesn't check data it is authorative for at all. this is of course not a
requirement, but it does make it impossible to have a server authorative
and act as a resolver at the same time while serving clients that puts
their trust into the AD-bit.

> >I think the AA-bit could be trustworthy for very simple resolvers that,
> >for some reason, do trust their local resolver.
>
> I don't think this as "special case" as you make it seem.

my typo, that should have been "I think the AD-bit could be trustworthy
for very simple resolvers that, for some reason, do trust their local
resolver."

there is no special case, the trust a host put into dns data depends on
from whom and how it get it. some may trust AD alone, some may require
AD+TSIG, some doesn't care about dnssec at all.

> I think I (or someone) needs to document the cases in a more formal
> way to make sure we're on the same page.  To late for an I-D, but
> perhaps something will be distributed on dnssec@cafax.se in the next
> few weeks.

yes, something that describes dnssec from the resolver perspective needs
to be written down.

	jakob





to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.