[dnsext] recommeded contents for Re: DNAME (and CNAME) vs DNSSEC

Edward Lewis <Ed.Lewis@neustar.biz> Wed, 24 September 2008 10:22 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0D27A3A6A83; Wed, 24 Sep 2008 03:22:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KEsL1F+dSuHb; Wed, 24 Sep 2008 03:22:22 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2FE7E3A689C; Wed, 24 Sep 2008 03:22:22 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KiROq-000CLx-AQ for namedroppers-data@psg.com; Wed, 24 Sep 2008 10:15:12 +0000
Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <Ed.Lewis@neustar.biz>) id 1KiROf-000CKs-Qq for namedroppers@ops.ietf.org; Wed, 24 Sep 2008 10:15:07 +0000
Received: from [10.122.105.108] (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.2/8.14.2) with ESMTP id m8OAEvqx080214; Wed, 24 Sep 2008 06:14:57 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Mime-Version: 1.0
Message-Id: <a06240803c4ffc2123ec0@[10.122.105.108]>
In-Reply-To: <20080923133133.GA18300@commandprompt.com>
References: <20080923072354.BB38011402C@mx.isc.org> <200809230756.m8N7uHdg075258@drugs.dv.isc.org> <20080923133133.GA18300@commandprompt.com>
Date: Wed, 24 Sep 2008 12:14:55 +0200
To: namedroppers@ops.ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: [dnsext] recommeded contents for Re: DNAME (and CNAME) vs DNSSEC
Cc: ed.lewis@neustar.biz
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.64 on 10.20.30.4
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

(ref. http://tools.ietf.org/id/draft-ietf-dnsext-rfc2672bis-dname-14.txt)

As there are others with notes, I' avoiding sending text but at least 
some guidelines for what should be in the section.

DNAME and DNSSEC

For implementations that understand both DNSSEC and DNAME (synthesis).

In any response, a signed DNAME RR indicates a non-terminal 
redirection of the query.  There might or might not be a server 
synthesized CNAME in the answer section, if there is, the CNAME will 
never be signed.  For a DNSSEC validator, verification of the DNAME 
RR and then checking that the CNAME was properly synthesized is 
sufficient proof.

In any negative response, an NSEC or NSEC3 record type bit map must 
be checked to see that there was no DNAME that could have been 
applied.  Yadda, yadda, yadda.

...What I find is that the currect text only or overly discusses 
negative answers.

I could provide more text later, but I have faith in the editors and 
know they will have to incorporate other input on this.  But if I am 
asked, I'll do something later.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Never confuse activity with progress.  Activity pays more.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>