Connected: An Internet Encyclopedia
3.7 KEY RRs in the Construction of Responses

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 2065
Up: 3. The KEY Resource Record
Prev: 3.6 Interaction of Flags, Algorithm, and Protocol Bytes
Next: 3.8 File Representation of KEY RRs

3.7 KEY RRs in the Construction of Responses

3.7 KEY RRs in the Construction of Responses

An explicit request for KEY RRs does not cause any special additional information processing except, of course, for the corresponding SIG RR from a security aware server.

Security aware DNS servers MUST include KEY RRs as additional information in responses where appropriate including the following:

(1) On the retrieval of NS RRs, the zone key KEY RR(s) for the zone served by these name servers MUST be included as additional information if space is avilable. There will always be at least one such KEY RR in a secure zone, even if it has the no-key type value to indicate that the subzone is insecure. If not all additional information will fit, the KEY RR(s) have higher priority than type A or AAAA glue RRs. If such a KEY RR does not fit on a retrieval, the retrieval must be considered truncated.

(2) On retrieval of type A or AAAA RRs, the end entity KEY RR(s) MUST be included if space is available. On inclusion of A or AAAA RRs as additional information, their KEY RRs will also be included but with lower priority than the relevant A or AAAA RRs.


Next: 3.8 File Representation of KEY RRs

Connected: An Internet Encyclopedia
3.7 KEY RRs in the Construction of Responses