Re: DNSSEXT Yokohama Minutes

[Derek Atkins <derek@ihtfp.com>]

David Blacka <davidb@verisignlabs.com> writes:

[example snipped]

Let me give a different example (similar to before).  Note that
between query-1 and query-2 the zone has changed.

Q: foo.bar. IN A
AUTH: a.bar IN NXT g.bar
      a.bar IN SIG NXT ...

Q: baz.bar. IN A
AUTH: a.bar IN NXT d.bar
      a.bar IN SIG NXT ...

Q: a.bar IN ANY (or IN NXT)
AUTH: ???

What do you return here?  This is still the same problem.  Do you
return both?  Do you choose one?

> Note that I'm not suggesting that the resolver build negative proof
> out of NXT records that it has in its cache.  You (and Roy)
> illustrated the potential problems with that fairly clearly.
> 
> I am trying to draw a distinction between Roy's stated requirement
> that "[NXT records] MUST NOT be stored as individual records", and a
> slightly weaker restriction that resolvers MUST NOT use cached NXT
> records to construct new negative (or opt-in) proofs.
> 
> Of course, I think that this particular example that I'm bringing up
> is not very natural.  I'm not sure that this particular query sequence
> would occur except for debugging.

Yes, but as I (hopefully) pointed out, it can be just as problematic.

>  Derek> As I said, hopefully Roy can better explain this.
> 
> You did a pretty good job.

Thank you.  I wasn't so sure last night.

> David Blacka    <davidb@verisignlabs.com> 
> Sr. Engineer    Verisign Applied Research

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>