12 Feb
2015
12 Feb
'15
12:51 a.m.
On Wed, Feb 11, 2015 at 06:19:16PM -0500, John wrote:
Just curious, you put the actual TLSA record first and then the CNAMEs. Any particular reason for the order?
Clarity of exposition. You're outsourcing thinking about this to the list.
* A DNS zone is a key-value database:
(owner-name, class, type) => RRset
* As with any key-value database the relative order of keys cannot be significant.
* Even the relative order of RRs within an RRset is not significant for DNSSEC purposes, as the RRset signature is calculated over the canonical ordering. So RRsets in which the order matters cannot rely on DNSSEC to protect that order.
--
Viktor.