At 17:38 +0100 12/19/06, Roy Arends wrote:

>You want to be sure the NSEC record is from the correct zone, lets say
>"from the zone that has the authority to make that claim", and not from an
>ancestor zone.


The only time the bit map will give a hint whether the NSEC is right
or not is when it is parent/child involved, when the owner name is
the same between two NSEC choices.

It's possible that an NSEC owned by an ancestor label will not have
any delegation information.

www.foo.bar.example.com - A AAAA NSEC DNSKEY RRSIG
foo.bar.example.com - SOA NS NSEC DNSKEY RRSIG or NS DS NSEC DNSKEY RRSIG
bar.example.com - TXT
example.com - same as foo-bar-...
com - ditto
.. - just the second half of the above

Come to think of it, none of the ancestor NSECs would cover the last
anyway - all of the next names would be at or before the next name
down.

>I was ranting against the use of the word 'parent' instead of ancestor.
>that is all.


In this case, it would seem that parent is more accurate than ancestor.

Also, keep in mind that the NSEC has to be signed by it's zone - that
ought to give away the authority of the NSEC. The only reason the
bitmap comes up is if you want to avoid having to look at the RRSIG.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar

Dessert - aka Service Pack 1 for lunch.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: