Setting up Dane again from start

Viktor Dukhovni ietf-dane at
Thu Feb 12 00:51:34 CET 2015

On Wed, Feb 11, 2015 at 06:19:16PM -0500, John wrote:

> Just curious, you put the actual TLSA record first and then the
> CNAMEs. Any particular reason for the order?

Clarity of exposition.  You're outsourcing thinking about this to
the list.

    * A DNS zone is a key-value database:

	(owner-name, class, type) => RRset

    * As with any key-value database the relative order
      of keys cannot be significant.

    * Even the relative order of RRs within an RRset is not significant
      for DNSSEC purposes, as the RRset signature is calculated over
      the canonical ordering.  So RRsets in which the order matters
      cannot rely on DNSSEC to protect that order.


More information about the dane-users mailing list