Re: Wrapup: DNSSECbis Q-8: Non-zone KEY RR at the apex.

[Rob Austein <sra+namedroppers@hactrn.net>]

At Sat, 03 May 2003 20:11:12 +0000, Paul Vixie wrote:
> 
> > > E.g.  "A DNS server compliant with this specification MUST NOT serve a KEY 
> > > RR which has the Zone Key bit set unless that KEY RR is at the zone 
> > > apex.  A DNS server MUST set the Zone Key bit for all KEY RRs which are at 
> > > the zone apex."
> > 
> > Er, no.  The zone content is the zone content, and the name server
> > doesn't get to modify it on the fly (among other reasons, because
> > doing so would invalidate the signatures).
> 
> i took this to mean "shall refuse to serve a zone without this property,
> for example issuing an error and refusing to load or reload a zone if this
> condition is not satisfied."

Right, I don't have a problem with that interpretation, but if that's
what we mean, it's probably what we should say :).

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>