On 11/02/2015 6:51 PM, Viktor Dukhovni wrote:
On Wed, Feb 11, 2015 at 06:19:16PM -0500, John wrote:


Just curious, you put the actual TLSA record first and then the
CNAMEs. Any particular reason for the order?

Clarity of exposition.  You're outsourcing thinking about this to
the list.
No, I had thought about this and had come to the conclusion that order did not make a difference (as per below).
However, just because I came to that conclusion does not make me right.
Experts like yourself, Carsten et al may know something I don't, and if you don't ask you don't get to know.
Now I KNOW that
a) I was right.
b) It does not make any difference.
c) I think my layout is better (so there).


    * A DNS zone is a key-value database:

	(owner-name, class, type) => RRset

    * As with any key-value database the relative order
      of keys cannot be significant.

    * Even the relative order of RRs within an RRset is not significant
      for DNSSEC purposes, as the RRset signature is calculated over
      the canonical ordering.  So RRsets in which the order matters
      cannot rely on DNSSEC to protect that order.
Take care
regards
John A