Definition of positive or negative DNSSEC responses in the context of authoritative DNS #411
Comments
|
It means that if there are "positive" answers (SVCB exists) that the additional records (A/AAAA) should also include signatures (RRSIG) as you say. I assume the text means (or at least how I interpret it) that in case of an non existing A/AAAA record that the (NOERROR/NoData) DNSSEC prove for those should be added, which would require the NSEC(3) record with a bitmap plus the signature that does not have the missing address record, but I don't think any authoritative server does that when they include an existing record for the target name. It would be no harm as the additional section gets ignored most of the time anyway, but it is different from what authoritative servers do today AFAIK. I seem to recall that text being "appropriate DNSSEC records", maybe we should revert to that. As said most resolvers will ignore the additional section and query A/AAAA independent. |
|
It sounds like we could choose terms to make this a bit clearer. |
The chapter #authoritative-behavior reads:
I'm unsure what a positive or negative DNSSEC response might be from an authoritative DNS server.
I can imagine an authoritative DNS returning signatures (RRSIG) records for the records in the Additional section (standard DNSSEC behavior). However an authoritative DNS server does not do DNSSEC validation, so to my knowledge there is no "positive" or "negative" DNSSEC response possible.
The text was updated successfully, but these errors were encountered: