At 18:32 +0000 11/21/05, wrote:
>So... Hokay...
> DNSSEC is a fine and useful BOS ... but there is this little nagging
>problem that is bugging me. One of the lemas is that zones are signed, which
>leaves the small problem of validating glue. others have argued that the
>proper response is to insist on all glue be removed by excising all the
>"out of baliwick" data - forcing servers to being the zone. nice idea, but
>will take a -LONG- time to gain operational traction. So in the mean time,
>we have signed zones w/ "orphaned" RRsets.
> Is there any reason why we can't validate the NS records, perhaps
>using the same general techniques as would be used for incremental signing?

I'm not clear on the question. Are you asking why the parent doesn't
sign the cutpoint NS RRset? Are you calling the NS RRSets part of
the glue? (I've always thought the glue to be the address records
pertaining to the cutpoints and not the NS sets.)

One of the basic tenets of DNSSEC is to have the authority on a RRset
be the sole provider of authentication meta-data, i.e., the signature.

I've always liked the model of "let the NXT record note the presence
of an NS set and have that signed" as proof that a cut point was
granted by the parent without making a statement about the "Left Hand
Side" of the NS data. Only the child signs the NS RRsets, the
appropriate authority signs the address records that appear as glue.

Edward Lewis +1-571-434-5468

3 months to the next trip. I guess it's finally time to settle down and
find a grocery store.

to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.