Re: number games. Re: WGLC for DNSSECbis docs
Derek Atkins <derek@ihtfp.com> Wed, 02 June 2004 15:03 UTC
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA26759 for <dnsext-archive@lists.ietf.org>; Wed, 2 Jun 2004 11:03:26 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 4.30; FreeBSD) id 1BVXDM-000Ebs-5J for namedroppers-data@psg.com; Wed, 02 Jun 2004 14:59:36 +0000
Received: from [204.107.200.33] (helo=dogbert.ihtfp.org) by psg.com with esmtp (Exim 4.30; FreeBSD) id 1BVXDL-000EbL-2R for namedroppers@ops.ietf.org; Wed, 02 Jun 2004 14:59:35 +0000
Received: (from warlord@localhost) by dogbert.ihtfp.org (8.12.9) id i52ExThk026134; Wed, 2 Jun 2004 10:59:29 -0400
To: Olaf Kolkman <olaf@ripe.net>
Cc: namedroppers@ops.ietf.org
Subject: Re: number games. Re: WGLC for DNSSECbis docs
References: <200406020824.i528OcMC066612@open.nlnetlabs.nl> <Pine.LNX.4.58.0406021056200.21385@elektron.atoom.net> <sjmbrk2m3hs.fsf@dogbert.ihtfp.org> <C039CFCF-B4A3-11D8-9A2A-000393DA2D46@ripe.net>
From: Derek Atkins <derek@ihtfp.com>
Date: Wed, 02 Jun 2004 10:59:29 -0400
In-Reply-To: <C039CFCF-B4A3-11D8-9A2A-000393DA2D46@ripe.net> (Olaf Kolkman's message of "Wed, 2 Jun 2004 16:47:20 +0200")
Message-ID: <sjmpt8iknu6.fsf@dogbert.ihtfp.org>
User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on psg.com
X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Olaf Kolkman <olaf@ripe.net> writes:
> There are NSECs proofing that there is no DS above the delegation
> point for each unsecured child.
Yes, but unless things have changed yet again, NS delegation records
are not authoritative data, which means you shouldn't need an NSEC at
the name to prove that no DS exists. E.g.:
@ = example.
a NS ..
DS ..
SIG(DS) ..
NSEC c ...
SIG(NSEC)
b NS ..
c NS ..
DS ..
SIG(DS) ..
NSEC . ..
SIG(NSEC)
"b NS" isn't authoritative so you don't need an NSEC at the node. The
'a NSEC c' proves that no DS exists for b. From
draft-ietf-dnsext-nsec-rdata-06 section 2.1.1:
Owner names of RRsets not authoritative for the given zone (such as
glue records) MUST NOT be listed in the Next Domain Name unless at
least one authoritative RRset exists at the same owner name.
Neither NS delegations nor glue A records are authoritative data.
> --Olaf
-derek
--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: WGLC for DNSSECbis docs Geoffrey Sisson
- Re: WGLC for DNSSECbis docs Geoffrey Sisson
- Re: WGLC for DNSSECbis docs Ted Lindgreen
- Re: WGLC for DNSSECbis docs Ted Lindgreen
- Re: number games. Re: WGLC for DNSSECbis docs Derek Atkins
- Re: number games. Re: WGLC for DNSSECbis docs Olaf Kolkman
- Re: number games. Re: WGLC for DNSSECbis docs Olaf M. Kolkman
- Re: number games. Re: WGLC for DNSSECbis docs roy
- Re: WGLC for DNSSECbis docs Paul Vixie
- Re: number games. Re: WGLC for DNSSECbis docs Derek Atkins
- Re: number games. Re: WGLC for DNSSECbis docs Derek Atkins
- Re: WGLC for DNSSECbis docs Geoffrey Sisson
- Re: WGLC for DNSSECbis docs Jay Daley
- Re: WGLC for DNSSECbis docs Simon Josefsson
- Re: number games. Re: WGLC for DNSSECbis docs Roy Badami
- number games. Re: WGLC for DNSSECbis docs roy
- Re: WGLC for DNSSECbis docs Masataka Ohta
- Re: WGLC for DNSSECbis docs Paul Vixie