On Fri, Feb 17, 2006 at 02:39:02PM +0100, Roy Arends wrote:
for authority and additional section information to be send to the stub. I have no idea why an rfc4035 compliant resolver would send RRSIGs NSECs or DNSKEYs to a stub if the DO bit was not set. ANY only covers those if DO=1. [...]
section 3 of RFC 4035 (top of page 9) says:
A security-aware name server that receives a DNS query that does not include the EDNS OPT pseudo-RR or that has the DO bit clear MUST treat the RRSIG, DNSKEY, and NSEC RRs as it would any other RRset and MUST NOT perform any of the additional processing described below.
"treat ... as it would any other RRset" would support ANY covering
dns-wg-admin@ripe.net wrote on 17-02-2006 14:49:16: those,
which is consistent with RFC 3225.
-Peter
Maybe this helps: 3.2. Recursive Name Servers 3.2.1. The DO Bit The resolver side of a security-aware recursive name server MUST set the DO bit when sending requests, regardless of the state of the DO bit in the initiating request received by the name server side. If the DO bit in an initiating query is not set, the name server side MUST strip any authenticating DNSSEC RRs from the response but MUST NOT strip any DNSSEC RR types that the initiating query explicitly requested. The important part is the last full sentence. Roy