On Thu, Jul 02, 2009 at 04:57:01PM +0200, W.C.A. Wijngaards wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 07/02/2009 04:54 PM, Leen Besselink wrote: > > Does this information help? > > > >> Yes, it does take away my uncertainty about if I understand correctly how DNSSEC works. > >> It's not possible for Unbound to ask the forwarded for the specific record (I think it's something like KEY) ? > >> Or would a forwarder strip that also ? > >> Or would all these extra requests delay the whole thing far to much and is that a good reason not do it ? > > The problem is that the signature should be kept with the data. If you > ask for the signature and data separately you do not know if they match. > In fact they may very well be from different versions of the zone, > therefore in DNSSEC the signatures are sent together with the data. > Ohh, ofcourse, now I understand they could otherwis be from different nameservers with different versions of the zone or from the same nameserver but the zone was recently changed. Thank you for your time, that makes things a lot clearer. > It would also be slower, yeah. > > Best regards, > Wouter > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkpMyr0ACgkQkDLqNwOhpPgwFgCfdBeAs6tsziYOLo5Hd5RGd8PB > tl8An1CCleFMMQwBukOCAEgMNJT6QjK8 > =0zdg > -----END PGP SIGNATURE----- > _____________________________________ New things are always on the horizon.