8.1 Server Conformance

Two levels of server conformance are defined as follows:

Minimal server compliance is the ability to store and retrieve (including zone transfer) SIG, KEY, and NXT RRs. Any secondary, caching, or other server for a secure zone MUST be at least minimally compliant and even then some things, such as secure CNAMEs, will not work without full compliance.

Full server compliance adds the following to basic compliance:

(1) ability to read SIG, KEY, and NXT RRs in zone files and (2) ability, given a zone file and private key, to add appropriate SIG and NXT RRs, possibly via a separate application, (3) proper automatic inclusion of SIG, KEY, and NXT RRs in responses, (4) suppression of CNAME following on retrieval of the security type RRs, (5) recognize the CD query header bit and set the AD query header bit, as appropriate, and (6) proper handling of the two NXT RRs at delegation points. Primary servers for secure zones MUST be fully compliant and for completely successful secure operation, all secondary, caching, and other servers handling the zone SHOULD be fully compliant as well.