[Yeti DNS Discuss] 答复: 答复: 答复: Five additional servers added to Yeti testbed & an bug finding on priming response

Davey Song(宋林健) ljsong at biigroup.cn
Fri May 6 09:05:07 UTC 2016

>> Knot IXFR behavior actually allows a advanced MZSK which requires 
>> resolver to validate each RRSIGs from multiple signer.

>Not really. If such a resolver existed, it would still break since Knot
does not guarantee it will have every signature, only the signatures of the
DM it was in touch with. Since a root name server contacts DM according to
its own algorithm (random, RTT-fastest, round-robin, whatever), you will not
have such a guarantee (yesterday, dahu2.yeti.eu.org served only two sigs,
while we have three DMs).

Yes, You are right. Such kind of advance MZSK I imaged requires every DM to
share its all RRSIG, like they share their public KEY. But if all RRSIG are
in the root zone, we do not need Knot IXFR feature any more. 

More information about the discuss mailing list