Matthijs, On Mar 25, 2008, at 3:12 AM, Matthijs Mekking wrote:
(1a) Both edge and transit addresses are returned in standard A/AAAA records, and extra (newly defined) "E/EEEE" records indicate which ones are edge addresses. The DNS proxy forwards only the A/AAAA records that include edge addresses to the resolver. This is compatible with DNSSEC because forwarded records are unchanged.This will actually break the DNSSEC. If I'm correct, signatures are generated over the whole RRset, and if you only forward a part of the RRset, the validation will fail.
An RRset is defined (in RFC 2181) to be all records of the same label, class, and type. The E/EEEE records would be of a different type and thus would be outside of the A/AAAA RRset over which the signature would be generated. Of course there would be no verifiable binding between the two (not sure that matters).
Regards, -drc -- to unsubscribe send a message to rrg-request@psg.com with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg