Setting up Dane again from start
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Feb 12 00:51:34 CET 2015
On Wed, Feb 11, 2015 at 06:19:16PM -0500, John wrote:
> Just curious, you put the actual TLSA record first and then the
> CNAMEs. Any particular reason for the order?
Clarity of exposition. You're outsourcing thinking about this to
the list.
* A DNS zone is a key-value database:
(owner-name, class, type) => RRset
* As with any key-value database the relative order
of keys cannot be significant.
* Even the relative order of RRs within an RRset is not significant
for DNSSEC purposes, as the RRset signature is calculated over
the canonical ordering. So RRsets in which the order matters
cannot rely on DNSSEC to protect that order.
--
Viktor.
More information about the dane-users
mailing list