This is a discussion on Re: "orphaned" RRsets & DNSSEC - DNS ; On Mon, Nov 21, 2005 at 01:47:35PM -0500, Edward Lewis wrote: > At 18:32 +0000 11/21/05, email@example.com wrote: > >So... Hokay... > > > > DNSSEC is a fine and useful BOS ... but there is this little nagging > ...
On Mon, Nov 21, 2005 at 01:47:35PM -0500, Edward Lewis wrote:
> At 18:32 +0000 11/21/05, firstname.lastname@example.org wrote:
> >So... Hokay...
> > DNSSEC is a fine and useful BOS ... but there is this little nagging
> >problem that is bugging me. One of the lemas is that zones are signed,
> >leaves the small problem of validating glue. others have argued that the
> >proper response is to insist on all glue be removed by excising all the
> >"out of baliwick" data - forcing servers to being the zone. nice idea, but
> >will take a -LONG- time to gain operational traction. So in the mean time,
> >we have signed zones w/ "orphaned" RRsets.
> > Is there any reason why we can't validate the NS records, perhaps
> >using the same general techniques as would be used for incremental signing?
> I'm not clear on the question. Are you asking why the parent doesn't
> sign the cutpoint NS RRset? Are you calling the NS RRSets part of
> the glue? (I've always thought the glue to be the address records
> pertaining to the cutpoints and not the NS sets.)
the NS RRset and the associated PTR records ...
> One of the basic tenets of DNSSEC is to have the authority on a RRset
> be the sole provider of authentication meta-data, i.e., the signature.
> I've always liked the model of "let the NXT record note the presence
> of an NS set and have that signed" as proof that a cut point was
> granted by the parent without making a statement about the "Left Hand
> Side" of the NS data. Only the child signs the NS RRsets, the
> appropriate authority signs the address records that appear as glue.
that gets me partly where i want to go...
> Edward Lewis +1-571-434-5468
> 3 months to the next trip. I guess it's finally time to settle down and
> find a grocery store.
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.