Hi Scott, On 28.03.2019 15:35, Hollenbeck, Scott wrote:
Speaking as one of the authors of RFC 7483: delegationSigned is for the parent and zoneSigned is for the subject domain. If the parent has DS records, we know that the subject domain _should_ be signed. For what it's worth, neither of us authors feels that text is really clear.
Thanks for your answer. Let's take an example to make sure I understood you correctly: I'm the registry for .example. The zone test.example is registered and the registrar provided DS records. If someone now uses my RDAP server and inquires test.example, I return delegationSigned = true, because I know that DS records for text.example exist. So far so clear. For zoneSigned I see two possibilities: 1. I also return zoneSigned=true, because I assume that test.example is signed. 2. I don't publish zoneSigned, because I don't know for sure, whether the zone is signed. In Case 1 delegationSigned and zoneSigned will always have the same value, so there's no real benefit in publishing both. As a consequence, as a registry I would say I always ignore zoneSigned and don't publish it. The only real use case for zoneSigned is, if I am a registrar and also run the DNS service for my customer. Only then do I know for sure whether the zone is signed or not. Cheers, Michael -- ____________________________________________________________________ | | | knipp | Knipp Medien und Kommunikation GmbH ------- Technologiepark Martin-Schmeisser-Weg 9 44227 Dortmund Germany Dipl.-Informatiker Fon: +49 231 9703-0 Fax: +49 231 9703-200 Dr. Michael Bauland SIP: Michael.Bauland@knipp.de Software Development E-mail: Michael.Bauland@knipp.de Register Court: Amtsgericht Dortmund, HRB 13728 Chief Executive Officers: Dietmar Knipp, Elmar Knipp