Re: Wrapup: DNSSECbis Q-8: Non-zone KEY RR at the apex.

[Michael StJohns <Mike.StJohns@nominum.com>]

At 04:28 PM 5/3/2003 -0400, Rob Austein wrote:
> At Sat, 03 May 2003 20:11:12 +0000, Paul Vixie wrote:
> >
> > > > E.g.  "A DNS server compliant with this specification MUST NOT 
> serve a KEY
> > > > RR which has the Zone Key bit set unless that KEY RR is at the zone
> > > > apex.  A DNS server MUST set the Zone Key bit for all KEY RRs which 
> are at
> > > > the zone apex."
> > >
> > > Er, no.  The zone content is the zone content, and the name server
> > > doesn't get to modify it on the fly (among other reasons, because
> > > doing so would invalidate the signatures).
> >
> > i took this to mean "shall refuse to serve a zone without this property,
> > for example issuing an error and refusing to load or reload a zone if this
> > condition is not satisfied."
>
> Right, I don't have a problem with that interpretation, but if that's
> what we mean, it's probably what we should say :).

Hey, give me a break - I spent all of 5 minutes word smithing this stuff....:-)


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>