Re: draft-arends-dnsnr-00
Samuel Weiler <weiler@tislabs.com> Tue, 27 July 2004 15:42 UTC
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA23175 for <dnsext-archive@lists.ietf.org>; Tue, 27 Jul 2004 11:42:21 -0400 (EDT)
Received: from majordom by psg.com with local (Exim 4.41 (FreeBSD)) id 1BpU3Q-000Oez-AR for namedroppers-data@psg.com; Tue, 27 Jul 2004 15:39:48 +0000
Received: from [192.94.214.100] (helo=nutshell.tislabs.com) by psg.com with esmtp (Exim 4.41 (FreeBSD)) id 1BpU3P-000Oej-Ei for namedroppers@ops.ietf.org; Tue, 27 Jul 2004 15:39:47 +0000
Received: (from uucp@localhost) by nutshell.tislabs.com (8.12.9/8.12.9) id i6RFb0Lq009356 for <namedroppers@ops.ietf.org>; Tue, 27 Jul 2004 11:37:00 -0400 (EDT)
Received: from filbert.tislabs.com(10.66.1.10) by nutshell.tislabs.com via csmap (V6.0) id srcAAAXjaqks; Tue, 27 Jul 04 11:36:48 -0400
Received: from localhost (weiler@localhost) by tislabs.com (8.12.9/8.12.9) with ESMTP id i6RFc3s5008538; Tue, 27 Jul 2004 11:38:03 -0400 (EDT)
Date: Tue, 27 Jul 2004 11:38:02 -0400
From: Samuel Weiler <weiler@tislabs.com>
X-X-Sender: weiler@filbert
To: Roy Arends <roy@dnss.ec>
cc: namedroppers@ops.ietf.org
Subject: Re: draft-arends-dnsnr-00
In-Reply-To: <Pine.BSO.4.56.0407121709550.12231@trinitario.schlyter.se>
Message-ID: <Pine.GSO.4.55.0407271136500.5963@filbert>
References: <Pine.BSO.4.56.0407121709550.12231@trinitario.schlyter.se>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on psg.com
X-Spam-Status: No, hits=-4.3 required=5.0 tests=AWL,BAYES_00,OPT_IN autolearn=ham version=2.63
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Avoiding the terminology discussion entirely... I'm confused about how DNSNR is supposed to work with hashed next names. Perhaps I'm missing something. I'd like to be enlightened. It looks like you're continuing to use DNSNR/NSEC3 owner names which match "actual owner names", to borrow Ben's terminology. For example (and I'd love to see an example with hashed owner names in the doc): example.com. 86400 IN DNSNR ? 1 34abc (hash(34abc+alpha)) types alfa.example.com. 86400 IN DNSNR ? 1 34abc (hash(34abc+beta)) types beta.example.com. 86400 IN DNSNR ? 1 34abc (hash(34abc+apex)) types (Which ignores the authoritative-only bit and doesn't say how much of the next name you're hashing, since I don't understand that part of the discussion.) What answer is given in response to a query for c.example.com? The beta DNSNR tells me nothing, since I can't tell what name was used to create the hash, and I can't tell if c.example.com would be covered by the DNSNR or not. In other matters, I find the discussion of the authoritative only bit in 2.1.1 confusing, if not misleading. If you want to not have DNSNRs for unsecure delegations (or optionally not have them), just say that. Make it clear whether the authoritative only bit is a per-zone thing or applies per-span, like opt-in. And the incomplete citation in the first paragraph of 2.1.4 is likely to be inconsistent with not requiring DNSNRs at each name (including those unsecure delegations). Also, the presentation format of the hash value is inconsistent between 2.1.2 (third paragraph) and 2.2. -- Sam -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Samuel Weiler
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Samuel Weiler
- Re: draft-arends-dnsnr-00 Edward Lewis
- Re: draft-arends-dnsnr-00 Ben Laurie
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Roy Arends