Re: [dnsext] DNAME with exceptions - work-around found
"W.C.A. Wijngaards" <wouter@NLnetLabs.nl> Mon, 13 September 2010 07:19 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BFE3B3A690D; Mon, 13 Sep 2010 00:19:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.31
X-Spam-Level:
X-Spam-Status: No, score=-102.31 tagged_above=-999 required=5 tests=[AWL=0.290, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g7IPkAQqszJs; Mon, 13 Sep 2010 00:19:10 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 187513A6914; Mon, 13 Sep 2010 00:19:08 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Ov3DT-000JZU-7c for namedroppers-data0@psg.com; Mon, 13 Sep 2010 07:12:39 +0000
Received: from open.nlnetlabs.nl ([2001:7b8:206:1::1]) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from <wouter@nlnetlabs.nl>) id 1Ov3DN-000JZF-0e for namedroppers@ops.ietf.org; Mon, 13 Sep 2010 07:12:33 +0000
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.3) with ESMTP id o8D7CJmm031296 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 13 Sep 2010 09:12:23 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4C8DCED3.2030702@nlnetlabs.nl>
Date: Mon, 13 Sep 2010 09:12:19 +0200
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.9) Gecko/20100907 Fedora/3.1.3-1.fc13 Lightning/1.0b3pre Thunderbird/3.1.3
MIME-Version: 1.0
To: Brian Dickson <brian.peter.dickson@gmail.com>
CC: namedroppers@ops.ietf.org
Subject: Re: [dnsext] DNAME with exceptions - work-around found
References: <AANLkTim8o93AQhj_oUvWMvqNH6DiN_W9mLSznRLu9ePA@mail.gmail.com> <4C8B3F0E.8050806@nlnetlabs.nl> <AANLkTi=s92ndRdeTGzC16sMNkPkDNbqtkEjRiSCxiW15@mail.gmail.com>
In-Reply-To: <AANLkTi=s92ndRdeTGzC16sMNkPkDNbqtkEjRiSCxiW15@mail.gmail.com>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Mon, 13 Sep 2010 09:12:24 +0200 (CEST)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/13/2010 12:24 AM, Brian Dickson wrote: > This works, both directly, and through a cache. And it can be made to > also validate for DNSSEC, by the following process: Yes, that is dirty, :-) > Use the same DNSKEYs for all the variants at each level (i.e. one set of > key for all the exceptions under one zone), and combining the (mapped) > DS keys, gets you the necessary delegation DNSSEC > authentication/validation. The DNAME rewrites the QNAME, but the > returned values authenticate since they are the same RDATA. (Yes, it's a > cute and evil trick.) Well, the signer name in the RRSIG needs to refer to the correct key. Not sure if zone-signers, servers and validators can agree on that. Or be made to, but you could include multiple RRSIGs as a cop-out I guess. I note the high traffic volume of this solution. Due to TTL=0. (for the requirements). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyNztMACgkQkDLqNwOhpPgJ9wCfTb6XEeZ/wnPaenoKllMFmcCu r2IAn0mQ0PrdU44aJyMDX70g6aVxPoTG =7/3Z -----END PGP SIGNATURE-----
- [dnsext] DNAME with exceptions - work-around found Brian Dickson
- Re: [dnsext] DNAME with exceptions - work-around … W.C.A. Wijngaards
- Re: [dnsext] DNAME with exceptions - work-around … Brian Dickson
- Re: [dnsext] DNAME with exceptions - work-around … W.C.A. Wijngaards
- Re: [dnsext] DNAME with exceptions - work-around … Niall O'Reilly
- Re: [dnsext] DNAME with exceptions - work-around … Andrew Sullivan
- Re: [dnsext] DNAME with exceptions - work-around … Brian Dickson