Re: [dnsext] Short introduction to zone cuts?
Ray Bellis <Ray.Bellis@nominet.org.uk> Tue, 20 March 2012 09:31 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BB2421F87F7; Tue, 20 Mar 2012 02:31:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1332235898; bh=Ltj2u5A2mQixr01XDggyozAFAkFQuLqWYnT8Xk5AP8w=; h=From:To:Date:Message-ID:References:In-Reply-To:Content-ID: MIME-Version:Cc:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:Content-Type: Content-Transfer-Encoding:Sender; b=RH/hz9iCyh1psNERWsfs4IMcyLCx6TNTrPMOCkqjujr1t/RCrl50xUu9YhvP8fsut 5v1A9hrVEiQILWTqkdVsvz/22mBG4X5fU39n0v4020gvnMlBxl0GdSDfewRw6mm7hA unDZ6VsecIMDibpcJRMe4gLiFkp1FV6jhYIRkSbo=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EC0021F87F7 for <dnsext@ietfa.amsl.com>; Tue, 20 Mar 2012 02:31:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.313
X-Spam-Level:
X-Spam-Status: No, score=-10.313 tagged_above=-999 required=5 tests=[AWL=0.286, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8BOOcx8bV20D for <dnsext@ietfa.amsl.com>; Tue, 20 Mar 2012 02:31:35 -0700 (PDT)
Received: from mx3.nominet.org.uk (mx3.nominet.org.uk [213.248.199.23]) by ietfa.amsl.com (Postfix) with ESMTP id 9507D21F87F5 for <dnsext@ietf.org>; Tue, 20 Mar 2012 02:31:34 -0700 (PDT)
DomainKey-Signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:Received:From:To:CC:Subject: Thread-Topic:Thread-Index:Date:Message-ID:References: In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:Content-Type: Content-ID:Content-Transfer-Encoding:MIME-Version; b=P0e79fe4Iopx59uO8J4nA0fVVzGF+f6H3VIX+JZ02CfiDfVyQYdbePOl moYzFQDzpM60XklZBJHv474lZi5860EZJ21/IdhS9VMNqLSp63jY7kvlj 2YehVYePcYr3gol;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nominet.org.uk; i=Ray.Bellis@nominet.org.uk; q=dns/txt; s=main.dkim.nominet.selector; t=1332235895; x=1363771895; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20Ray=20Bellis=20<Ray.Bellis@nominet.org.uk> |Subject:=20Re:=20[dnsext]=20Short=20introduction=20to=20 zone=20cuts?|Date:=20Tue,=2020=20Mar=202012=2009:31:29=20 +0000|Message-ID:=20<90DCCEAC-DBBF-423E-99DE-46D21D078F66 @nominet.org.uk>|To:=20Doug=20Barton=20<dougb@dougbarton. us>|CC:=20DNSEXT=20Working=20Group=20<dnsext@ietf.org> |MIME-Version:=201.0|Content-Transfer-Encoding:=20quoted- printable|Content-ID:=20<d7a0254d-07cf-4615-bd1f-b0449836 2bb7>|In-Reply-To:=20<4F67B7A7.1000608@dougbarton.us> |References:=20<946E9EC4-9872-4A98-BCEB-3CD7420929A1@vpnc .org>=0D=0A=20<20120316233618.16C831E9F8E3@drugs.dv.isc.o rg>=0D=0A=20<8D53F412-A917-4DB2-9B7F-527B8FDD6779@nominet .org.uk>=0D=0A=20<4F653C29.2070103@dougbarton.us>=0D=0A =20<B9ADF3A0-5943-4FFF-A614-5727D34AD6F6@nominet.org.uk> =0D=0A=20<4F67B7A7.1000608@dougbarton.us>; bh=FGCc1Oooltuk7Iz58ZDQ+qwb8vag/V718cBL/YuF2b4=; b=WT73Jq8lZZyoRfHuZBC2vpRahFnBsGzBUyshZB+VuwIxo/yqi5qfRcP5 VQ6eaa76AuatXXB9K94XDxKVT92wY3A2fzU5xGsp+5cmGySzKQDY9U6xZ l1mkz/WaJXWkc/r;
X-IronPort-AV: E=Sophos;i="4.73,617,1325462400"; d="scan'208";a="39233778"
Received: from wds-exc2.okna.nominet.org.uk ([213.248.197.145]) by mx3.nominet.org.uk with ESMTP; 20 Mar 2012 09:31:31 +0000
Received: from WDS-EXC2.okna.nominet.org.uk ([fe80::7577:eaca:5241:25d4]) by wds-exc2.okna.nominet.org.uk ([fe80::7577:eaca:5241:25d4%19]) with mapi; Tue, 20 Mar 2012 09:31:31 +0000
From: Ray Bellis <Ray.Bellis@nominet.org.uk>
To: Doug Barton <dougb@dougbarton.us>
Thread-Topic: [dnsext] Short introduction to zone cuts?
Thread-Index: AQHNA5zsYFL40qEpS0Ktdz4KXCtF9ZZtlCQkgADpMwCAAMqSgIACck6AgACDQoCAALPCgA==
Date: Tue, 20 Mar 2012 09:31:29 +0000
Message-ID: <90DCCEAC-DBBF-423E-99DE-46D21D078F66@nominet.org.uk>
References: <946E9EC4-9872-4A98-BCEB-3CD7420929A1@vpnc.org> <20120316233618.16C831E9F8E3@drugs.dv.isc.org> <8D53F412-A917-4DB2-9B7F-527B8FDD6779@nominet.org.uk> <4F653C29.2070103@dougbarton.us> <B9ADF3A0-5943-4FFF-A614-5727D34AD6F6@nominet.org.uk> <4F67B7A7.1000608@dougbarton.us>
In-Reply-To: <4F67B7A7.1000608@dougbarton.us>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-ID: <d7a0254d-07cf-4615-bd1f-b04498362bb7>
MIME-Version: 1.0
Cc: DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] Short introduction to zone cuts?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On 19 Mar 2012, at 22:48, Doug Barton wrote: > > Right, and that's the devious subtlety of your message. :) No one would > ever query ns1.example.com iteratively for the sample records in the > zone you posted because they would have no way of knowing that > ns1.example.com thought it was authoritative for those records. Sure they would! You can try it: % dig +short @8.8.8.8 1.1.2.2.3.3.5.6.8.1.4.4.e164.arpa. NAPTR 100 20 "u" "E2U+pstn:tel" "!^(.*)$!tel:\\1!" . 100 10 "u" "E2U+sip" "!^\\+441865332(.*)$!sip:\\1@nominet.org.uk!" . > Clients querying it directly would get an answer (think in-house > resolvers with various in-house zones slaved to it) but no one else would. Yes, they would. The recursive server without an entry in cache ends up at the NS for 4.4.e164.arpa, at which point we send a referral _for the whole domain name_ pointing at ns1.example.com. The query arrives there, and is duly answered. Sans DNSSEC, the mismatch in the zone cut between parent and child is never noticed. Ray _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] Short introduction to zone cuts? Paul Hoffman
- Re: [dnsext] Short introduction to zone cuts? Mark Andrews
- Re: [dnsext] Short introduction to zone cuts? Ray Bellis
- Re: [dnsext] Short introduction to zone cuts? Paul Hoffman
- Re: [dnsext] Short introduction to zone cuts? Mark Andrews
- Re: [dnsext] Short introduction to zone cuts? Doug Barton
- Re: [dnsext] Short introduction to zone cuts? Ray Bellis
- Re: [dnsext] Short introduction to zone cuts? Doug Barton
- Re: [dnsext] Short introduction to zone cuts? Mark Andrews
- Re: [dnsext] Short introduction to zone cuts? Ray Bellis
- Re: [dnsext] Short introduction to zone cuts? Tony Finch
- Re: [dnsext] Short introduction to zone cuts? Doug Barton