Re: Wrapup: DNSSECbis Q-8: Non-zone KEY RR at the apex.

[Rob Austein <sra+namedroppers@hactrn.net>]

At Sat, 03 May 2003 00:54:38 -0400, Michael StJohns wrote:
> 
> Without making any comment on whether or not non-zone KEY RRs are 
> useful/bad, if the restriction is adopted, it should probably be stated as 
> a protocol restriction rather than a data content restriction.
> 
> E.g.  "A DNS server compliant with this specification MUST NOT serve a KEY 
> RR which has the Zone Key bit set unless that KEY RR is at the zone 
> apex.  A DNS server MUST set the Zone Key bit for all KEY RRs which are at 
> the zone apex."

Er, no.  The zone content is the zone content, and the name server
doesn't get to modify it on the fly (among other reasons, because
doing so would invalidate the signatures).

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>