Paul Wouters <paul at nohats.ca> wrote
Sun, 3 Apr 2016 14:49:26 -0300:
| >
| > My validation program reads a set of RR's in wire format where the first
| > RR is a DS RR, the next one is an RRSIG RR covering the previous DS RR
| > and the rest are "support records", including RRSIG's.
|
| Note you need to be able to accept any order of RRdata if you get the
| order that came in on the wire (because at least powerdns randomized
| the rrset)
I'd like to require that the first record is the DS to be added to the
log. This in order to know _which_ DS in the rrset to add. Unless I'm to
pick the one with the "longest" owner name, but that seems icky.
An alternative would be to separate the DS (and its RRSIG) from the
chain by adding another input beside 'chain' (as described in
draft-zhang-trans-ct-dnssec-03 section 6.1).
Regarding what powerdns does or does not, I'm expecting someone to
implement a client for this log that formats the data according to the
draft, or something else that we decide upon.