Re: [dnsext] Possible DNSSECbis clarifications
"Marc Lampo" <marc.lampo@eurid.eu> Mon, 28 March 2011 14:22 UTC
Return-Path: <marc.lampo@eurid.eu>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 390FC3A6900 for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 07:22:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.15
X-Spam-Level:
X-Spam-Status: No, score=-1.15 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, MSGID_MULTIPLE_AT=1.449]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ccnrsTo9HVod for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 07:22:54 -0700 (PDT)
Received: from barra.eurid.eu (mx.eurid.eu [212.190.206.103]) by core3.amsl.com (Postfix) with ESMTP id 633A33A6810 for <dnsext@ietf.org>; Mon, 28 Mar 2011 07:22:53 -0700 (PDT)
X-ASG-Debug-ID: 1301322270-5cfc54d00001-uIE7UK
Received: from zimbra.eurid.eu (zcs-master.vt.eurid.eu [10.19.100.121]) by barra.eurid.eu with ESMTP id K5Qy1C9yv6o2Ytmu; Mon, 28 Mar 2011 16:24:30 +0200 (CEST)
X-Barracuda-Envelope-From: marc.lampo@eurid.eu
X-ASG-Whitelist: Client
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbra.eurid.eu (Postfix) with ESMTP id E074EE4076; Mon, 28 Mar 2011 16:19:07 +0200 (CEST)
X-Virus-Scanned: amavisd-new at techmail.eurid.eu
Received: from zimbra.eurid.eu ([127.0.0.1]) by localhost (zimbra.eurid.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5jGn-2j4ZR5Y; Mon, 28 Mar 2011 16:19:07 +0200 (CEST)
Received: from zimbra.eurid.eu (zimbra.eurid.eu [10.19.100.120]) by zimbra.eurid.eu (Postfix) with ESMTP id CD0EBE4054; Mon, 28 Mar 2011 16:19:07 +0200 (CEST)
From: Marc Lampo <marc.lampo@eurid.eu>
To: 'Joe Abley' <jabley@hopcount.ca>
References: <4D9042DA.30002@ogud.com> <00a701cbed28$64d1b1d0$2e751570$@lampo@eurid.eu> <EBB9E54E-15F1-46B0-81CB-4B2C7B47D598@hopcount.ca> <018401cbed48$0b8a6ac0$229f4040$@lampo@eurid.eu> <22FD4CD1-4EFB-412A-A307-485DEBE815CE@hopcount.ca>
In-Reply-To: <22FD4CD1-4EFB-412A-A307-485DEBE815CE@hopcount.ca>
Date: Mon, 28 Mar 2011 16:19:07 +0200
X-ASG-Orig-Subj: RE: [dnsext] Possible DNSSECbis clarifications
Message-ID: <01a901cbed53$e744b7e0$b5ce27a0$@lampo>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraConnectorForOutlook/5.0.3064.18)
Thread-Index: AcvtSK+ebzOaPYYFQKOMpnAF480gZgACu1iA
Content-Language: en-za
X-Originating-IP: [172.20.5.39]
X-Barracuda-Connect: zcs-master.vt.eurid.eu[10.19.100.121]
X-Barracuda-Start-Time: 1301322270
X-Barracuda-URL: http://172.20.1.190:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at eurid.eu
Cc: dnsext@ietf.org, 'Olafur Gudmundsson' <ogud@ogud.com>
Subject: Re: [dnsext] Possible DNSSECbis clarifications
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 14:22:55 -0000
But then, how to link a RRSIG(SOA) with *its* SOA ? Or simply : "try" all available RRSIG(SOA)'s, if at least one validates the SOA being looked at, then accept it. (where "validates" includes not only the signature is valid and within validity period, but also : chain-of-trust is OK) Marc -----Original Message----- From: Joe Abley [mailto:jabley@hopcount.ca] Sent: 28 March 2011 03:09 PM To: Marc Lampo Cc: dnsext@ietf.org; 'Olafur Gudmundsson' Subject: Re: [dnsext] Possible DNSSECbis clarifications On 2011-03-28, at 14:54, Marc Lampo wrote: > I agree that, if there is a record following that "last SOA", that SOA is > obviously not the last one of the zone transfert. > Which brings us to the question : > Where to put that RRSIG(SOA), knowing that potentially the SOA may change > between start and end of AXFR. > (in which case the receiving name server must refuse just downloaded zone > and attempt AXFR again) Anywhere between the two SOA records seems sensible to me. Joe
- Re: [dnsext] Possible DNSSECbis clarifications Marc Lampo
- [dnsext] Possible DNSSECbis clarifications Olafur Gudmundsson
- Re: [dnsext] Possible DNSSECbis clarifications Masataka Ohta
- Re: [dnsext] Possible DNSSECbis clarifications George Barwood
- Re: [dnsext] Possible DNSSECbis clarifications Mark Andrews
- Re: [dnsext] Possible DNSSECbis clarifications Antoin Verschuren
- Re: [dnsext] Possible DNSSECbis clarifications Joe Abley
- Re: [dnsext] Possible DNSSECbis clarifications Joe Abley
- Re: [dnsext] Possible DNSSECbis clarifications Marc Lampo
- Re: [dnsext] Possible DNSSECbis clarifications Joe Abley
- Re: [dnsext] Possible DNSSECbis clarifications Michael Graff
- Re: [dnsext] Possible DNSSECbis clarifications Marc Lampo
- Re: [dnsext] Possible DNSSECbis clarifications Michael Graff
- Re: [dnsext] Possible DNSSECbis clarifications Joe Abley
- Re: [dnsext] Possible DNSSECbis clarifications Marc Lampo
- Re: [dnsext] Possible DNSSECbis clarifications Miek Gieben
- Re: [dnsext] Possible DNSSECbis clarifications Mark Andrews
- Re: [dnsext] Possible DNSSECbis clarifications Michael Graff