In RFC 1034, RRSIGs are required to indicate the zone apex in the Signer's Name field. This creates an implicit conflict with the current text requiring the local resolver's DNSKEY to be located at "resolver.arpa".
Getting rid of the fixed owner name would require a separate "ds=..." key for every authorized subdomain, creating scaling problems for complex split arrangements. Instead, this change resolves the discrepancy by requiring local resolvers to replicate the "resolver.arpa" DNSKEY at each local zone apex. This ensures that all RRSIGs are compliant and minimizes the changes required to resolution logic.
I've also added text covering "single signer" mode, and added advice on how to maintain compatibility with non-split-aware validating stubs.
In RFC 1034, RRSIGs are required to indicate the zone apex in the Signer's Name field. This creates an implicit conflict with the current text requiring the local resolver's DNSKEY to be located at "resolver.arpa".
Getting rid of the fixed owner name would require a separate "ds=..." key for every authorized subdomain, creating scaling problems for complex split arrangements. Instead, this change resolves the discrepancy by requiring local resolvers to replicate the "resolver.arpa" DNSKEY at each local zone apex. This ensures that all RRSIGs are compliant and minimizes the changes required to resolution logic.
I've also added text covering "single signer" mode, and added advice on how to maintain compatibility with non-split-aware validating stubs.
Fixes #25