propagate forced TLSA onto subdomains

[pdns-pipe-nmc.git] / SPEC.md

diff --git a/SPEC.md b/SPEC.md
index b93a852a339847b29931c173766510d216908c45..57940a5beddc51f243a927ee1e824067e8cf7d1d 100644 (file)
--- a/SPEC.md
+++ b/SPEC.md
@@ -325,9 +325,9 @@ the current object.
 ```
 
 Note: When a key contains dots ".", it is converted to a nested
-map.  If empty element appears as a result of split, such as when
-a dot is at the beginning or at the end of the key, or there are
-consequitive dots, such elemets are ignored. For example,
+map. Empty elements in the result of split, such as when a dot is
+at the beginning or at the end of the key, or there are
+consequitive dots, are diagnosed as erroneous data.
 
 ```
 "map": { "www.uk": { "alias" : "www.example.co.uk" }
@@ -340,8 +340,8 @@ is equivalent to
 ```
 "map": { "uk": { "map": { "www": { "alias" : "www.example.co.uk" }}}
        , "us": { "map": { "www": { "alias" : "www.example.com" }
-                       , "smtp": { "alias" : "smtp.example.com" }}
-              }
+                        , "smtp": { "alias" : "smtp.example.com" }}
+               }
        }
 ```
 
@@ -365,6 +365,20 @@ Intended to carry attributes as per
        }
 ```
 
+translates into:
+
+```
+_443._tcp      TLSA  (3 0 1 660008F9...7621B787)
+_25._tcp       TLSA  (3 0 1 660008F9...7621B787)
+```
+
+The third element of the `TlsObj` heterogenous array is an extention
+to the DANE definition. Value `0` means that this rule is not enforced
+upon subdomains, value `1` means that it is enforced on subdomains.
+Rule defined inside a subdomain `DomObj` that specifies `0` on a rule
+existing in upper domain, that specifies `1` should be ignored. I.e.
+subdomain rule cannot revoke enforcement imposed by an upper domain rule.
+
 #### ds attribute
 
 Translates into `DS` RR. Carries attributes defined by