[DNSOP] signing glue and additional data

Jim Reid <jim@rfc1035.com> Sat, 16 January 2010 13:25 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id C79CC3A68FB for <dnsop@core3.amsl.com>; Sat, 16 Jan 2010 05:25:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.055
X-Spam-Status: No, score=-3.055 tagged_above=-999 required=5 tests=[AWL=-0.456, BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id Mzh3z+FG0Nye for <dnsop@core3.amsl.com>; Sat, 16 Jan 2010 05:25:31 -0800 (PST)
Received: from hutch.rfc1035.com (hutch.rfc1035.com []) by core3.amsl.com (Postfix) with ESMTP id 8FE853A68AD for <dnsop@ietf.org>; Sat, 16 Jan 2010 05:25:31 -0800 (PST)
Received: from gromit.rfc1035.com (gromit.rfc1035.com []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jim) by hutch.rfc1035.com (Postfix) with ESMTPSA id CD760154283B; Sat, 16 Jan 2010 13:25:25 +0000 (GMT)
From: Jim Reid <jim@rfc1035.com>
To: George Barwood <george.barwood@blueyonder.co.uk>
In-Reply-To: <C7567F001CD94F1891C91E162FD5316B@localhost>
X-Priority: 3
References: <201001131823.o0DINxYv068180@stora.ogud.com> <C70EBA7D41694531819FB0923455C684@localhost> <C7567F001CD94F1891C91E162FD5316B@localhost>
Message-Id: <CEB4088B-AAB5-4718-981F-4F4887E714E6@rfc1035.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sat, 16 Jan 2010 13:25:25 +0000
X-Mailer: Apple Mail (2.936)
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: [DNSOP] signing glue and additional data
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jan 2010 13:25:32 -0000

On 16 Jan 2010, at 11:17, George Barwood wrote:

> To correct my statement, the following query shows that glue records  
> may be signed
> dig soa se @a.ns.se + dnssec

No it doesn't. The name servers for .se are authoritative for the  
address records for *.ns.se. And ns.se isn't delegated either. The A  
and AAAA records for *.ns.se in this response are not glue. They would  
be glue if they were in a referral response from a server for .se's  

> The question then is "is the additional RRSIG data useful" ?
> My answer is "probably not".

So authoritative servers shouldn't volunteer helpful/relevant data in  
the Additional Section of a response, should they? If the server's got  
additional data that might benefit the client -- like an A or AAAA  
record for a hostname in the RDATA of an answer -- it makes sense for  
the server to include it provided there's room for that data in the  
response. That also applies to any RRSIG(s) over that additional data,  
assuming of course the client had set the DO bit.