On Mon, Nov 21, 2005 at 01:47:35PM -0500, Edward Lewis wrote:
> At 18:32 +0000 11/21/05, bmanning@vacation.karoshi.com wrote:
> >So... Hokay...
> >
> > DNSSEC is a fine and useful BOS ... but there is this little nagging
> >problem that is bugging me. One of the lemas is that zones are signed,
> >which
> >leaves the small problem of validating glue. others have argued that the
> >proper response is to insist on all glue be removed by excising all the
> >"out of baliwick" data - forcing servers to being the zone. nice idea, but
> >will take a -LONG- time to gain operational traction. So in the mean time,
> >we have signed zones w/ "orphaned" RRsets.
> >
> > Is there any reason why we can't validate the NS records, perhaps
> >using the same general techniques as would be used for incremental signing?

> I'm not clear on the question. Are you asking why the parent doesn't
> sign the cutpoint NS RRset? Are you calling the NS RRSets part of
> the glue? (I've always thought the glue to be the address records
> pertaining to the cutpoints and not the NS sets.)

the NS RRset and the associated PTR records ...

> One of the basic tenets of DNSSEC is to have the authority on a RRset
> be the sole provider of authentication meta-data, i.e., the signature.


> I've always liked the model of "let the NXT record note the presence
> of an NS set and have that signed" as proof that a cut point was
> granted by the parent without making a statement about the "Left Hand
> Side" of the NS data. Only the child signs the NS RRsets, the
> appropriate authority signs the address records that appear as glue.

that gets me partly where i want to go...

> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis +1-571-434-5468
> NeuStar
> 3 months to the next trip. I guess it's finally time to settle down and
> find a grocery store.

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.