[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MagicType draft
> On Tue, Nov 16, 2004 at 10:07:16AM +0100, Miek Gieben wrote:
> > Since this method requires online signing there is no longer the need
> > to special case wildcard records. These will now be signed on the
> > fly. This in turn simplifies negative responses, as there is no
> > longer the need to prove that the original QNAME does not exist.
>
> I don't understand this text.
>
> RFC 2535:
>
> In particular, when a non-existent name response is returned, an NXT
> must be returned showing that the exact name queried did not exist
> and, in general, one or more additional NXT's need to be returned to
> also prove that there wasn't a wildcard whose expansion should have
> been returned.
>
> >From wcard-clarify-00:
>
> When synthesizing a negative answer that is derived from a wild
> card, meaning that a wild card matched the QNAME (no exact match
> happened for QNAME) but that there is no match for QTYPE there, at
> most two negative answers are needed, possibly one. As in 6.2.1,
> a proof that the exact match failed is needed. A second proof is
> needed to show that the wild card domain name does not have the QTYPE.
>
> Why does the online signing of wildcard records remove the need to prove
> the original QNAME does not exist?
>
> -- Andras Salamon andras@dns.net
You are dealing with different threats and accepted risks.
* Relay of wildcard proofs to different qnames.
* Server compromise.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>