Re: [dnsext] recommeded contents for Re: DNAME (and CNAME) vs DNSSEC

[Scott Rose <scottr@nist.gov>]

On Sep 24, 2008, at 6:14 AM, Edward Lewis wrote:

> (ref. http://tools.ietf.org/id/draft-ietf-dnsext-rfc2672bis-dname-14.txt)
>
> As there are others with notes, I' avoiding sending text but at  
> least some guidelines for what should be in the section.
>
> DNAME and DNSSEC
>
> For implementations that understand both DNSSEC and DNAME (synthesis).
>
> In any response, a signed DNAME RR indicates a non-terminal  
> redirection of the query.  There might or might not be a server  
> synthesized CNAME in the answer section, if there is, the CNAME will  
> never be signed.  For a DNSSEC validator, verification of the DNAME  
> RR and then checking that the CNAME was properly synthesized is  
> sufficient proof.
>
> In any negative response, an NSEC or NSEC3 record type bit map must  
> be checked to see that there was no DNAME that could have been  
> applied.  Yadda, yadda, yadda.
>
> ...What I find is that the currect text only or overly discusses  
> negative answers.
>
> I could provide more text later, but I have faith in the editors and  
> know they will have to incorporate other input on this.  But if I am  
> asked, I'll do something later.

We'll take anyone's input - for those out there that want to steal  
Ed's thunder :)

Scott


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>