IETF Logo Mail Archive

Re: Interpreting DNSSEC was Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME

Edward Lewis <Ed.Lewis@neustar.biz> Fri, 24 October 2008 22:25 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7F03F28C15D; Fri, 24 Oct 2008 15:25:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.501
X-Spam-Level:
X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[AWL=-0.006, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qPZaYB7JWy4l; Fri, 24 Oct 2008 15:25:31 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7649528C14E; Fri, 24 Oct 2008 15:25:31 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KtV25-000BgU-17 for namedroppers-data@psg.com; Fri, 24 Oct 2008 22:21:25 +0000
Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <Ed.Lewis@neustar.biz>) id 1KtV1w-000Bf8-EN for namedroppers@ops.ietf.org; Fri, 24 Oct 2008 22:21:18 +0000
Received: from [172.18.116.246] (ns.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.2/8.14.2) with ESMTP id m9OMLAVV097262; Fri, 24 Oct 2008 18:21:11 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Mime-Version: 1.0
Message-Id: <a06240800c527f9b8ba83@[172.18.116.238]>
In-Reply-To: <E1KtUcM-0009ZA-Jo@psg.com>
References: <Your message of "Thu, 23 Oct 2008 12:25:06 EDT." <E1Kt301-000LBZ-QW@psg.com> <200810232224.m9NMOR2A068911@drugs.dv.isc.org> <E1KtUcM-0009ZA-Jo@psg.com>
Date: Sat, 25 Oct 2008 00:21:07 +0200
To: namedroppers@ops.ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: Interpreting DNSSEC was Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME
Cc: ed.lewis@neustar.biz
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.64 on 10.20.30.4
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

At 17:54 -0400 10/24/08, Michael StJohns wrote:

>How the heck do I as the owner of subzone.example.com figure out which
>resolvers to tell about the change??

The answer is "you don't" and "DNSSEC never promised you could." 
Remember that the, okay, a fundamental rule of DNSSEC is that it is 
there to protect the resolver and not the authority of the data.  You 
(as an admin) don't have any tools to reach out and touch your 
audience.  Just as DNSSEC does not guarantee the answer will get 
through (no DoS prevention) it only guarantees that what is received 
can be validated (if the stars align).  DNSSEC is driven from the 
resolver and not the authority.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Never confuse activity with progress.  Activity pays more.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email