Connected: An Internet Encyclopedia
4.2 SIG RRs in the Construction of Responses
Up:
Connected: An Internet Encyclopedia
Up:
Requests For Comments
Up:
RFC 2065
Up:
4. The SIG Resource Record
Prev: 4.1.4 Transaction and Request SIGs
Next: 4.3 Processing Responses and SIG RRs
4.2 SIG RRs in the Construction of Responses
4.2 SIG RRs in the Construction of Responses
Security aware DNS servers MUST, for every authoritative RR the query
will return, attempt to send the available SIG RRs which authenticate
the requested RR. The following rules apply to the inclusion of SIG
RRs in responses:
- when an RR set is placed in a response, its SIG RR has a higher
priority for inclusion than other additional RRs that may need to
be included. If space does not permit its inclusion, the response
MUST be considered truncated except as provided in 2 below.
- when a SIG RR is present in the zone for an additional information
section RR, the response MUST NOT be considered truncated merely
because space does not permit the inclusion of its SIG RR.
- SIGs to authenticate non-authoritative data (glue records and NS
RRs for subzones) are unnecessary and MUST NOT be sent. (Note
that KEYs for subzones are controlling in a superzone so the
superzone's signature on the KEY MUST be included (unless the KEY
was additional information and the SIG did not fit).)
- If a SIG covers any RR that would be in the answer section of the
response, its automatic inclusion MUST be the answer section. If
it covers an RR that would appear in the authority section, its
automatic inclusion MUST be in the authority section. If it
covers an RR that would appear in the additional information
section it MUST appear in the additional information section.
This is a change in the existing standard which contemplates only
NS and SOA RRs in the authority section.
- Optionally, DNS transactions may be authenticated by a SIG RR at
the end of the response in the additional information section
(Section 4.1.4). Such SIG RRs are signed by the DNS server
originating the response. Although the signer field MUST be the
name of the originating server host, the owner name, class, TTL,
and original TTL, are meaningless. The class and TTL fields
SHOULD be zero. To conserve space, the owner name SHOULD be root
(a single zero octet). If transaction authentication is desired,
that SIG RR must be considered higher priority for inclusion than
any other RR in the response.
Next: 4.3 Processing Responses and SIG RRs
Connected: An Internet Encyclopedia
4.2 SIG RRs in the Construction of Responses