[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MagicType draft
On Tue, Nov 16, 2004 at 10:07:16AM +0100, Miek Gieben wrote:
> Since this method requires online signing there is no longer the need
> to special case wildcard records. These will now be signed on the
> fly. This in turn simplifies negative responses, as there is no
> longer the need to prove that the original QNAME does not exist.
I don't understand this text.
RFC 2535:
In particular, when a non-existent name response is returned, an NXT
must be returned showing that the exact name queried did not exist
and, in general, one or more additional NXT's need to be returned to
also prove that there wasn't a wildcard whose expansion should have
been returned.
From wcard-clarify-00:
When synthesizing a negative answer that is derived from a wild
card, meaning that a wild card matched the QNAME (no exact match
happened for QNAME) but that there is no match for QTYPE there, at
most two negative answers are needed, possibly one. As in 6.2.1,
a proof that the exact match failed is needed. A second proof is
needed to show that the wild card domain name does not have the QTYPE.
Why does the online signing of wildcard records remove the need to prove
the original QNAME does not exist?
-- Andras Salamon andras@dns.net
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>