[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

wild card validation question

To: namedroppers <namedroppers@ops.ietf.org>
Subject: wild card validation question
From: Edward Lewis <Ed.Lewis@neustar.biz>
Date: Thu, 9 Dec 2004 14:02:31 -0500
Cc: ed.lewis@neulevel.biz

Regarding this from the minutes:

#     Example in presentation:
#     ************************************************
#     Zone has    *.example.   IN 3600 NS bogon.example.
#                 *.example.   IN 3600 NSEC twn.example. NS NSEC RRSIG
#
#                 twn.example. IN 3600 NSEC twp.example. ...
#                 twn.example. IN 3600 RRSIG NSEC ... signed by example. ...
#
#                 twp.example. IN 3600 NSEC example. ...
#
#      Query: two.example. IN NS
#
#      Answer has (?):
#      AA = 1, RCODE = 0 (not name error)
#      Answer:       two.example. IN 3600 NS bogon.example.
#      Authority:    twn.example. IN 3600 NSEC twp.example. ...
#                    twn.example. IN 3600 RRSIG NSEC ... signed by example. ...
#
#  Suggested fixes:
#       a. outlaw loading zones with *  NS
#       b. exempt certain types from wildcard processing
#       c. instruct DNSSEC validators to ignore "problem"
#       d. Specify * label can't have certain types and cannot be subdomained
#
#  Questions:
#
#  There where some statements that c. was the right way to go, but
#  need for a clear definition what that means. There was also
#  discussion that this is an answer not a referral but that needs to
#  be discussed on the mailing list.

I've been meaning to post this to the list, but my schedule has prevented me from doing so.

Note that the reply here is not a referral - the NS appears in the answer section, as it is the answer to the query. (This is why an NS query is used as an example.)

Answer C does seem to be the smoothest way out - unless your metric is code smoothness. The implication is that the validator has to understand the special case-ness of this situation. (We may also see this is true for DS records too, I haven't gotten that far yet.)

Are we willing to accept that the validator is going to be "smart enough" to understand the odd ball case here? (5 points extra credit for whoever can enumerate the conditions in which an NS RRSet is properly signed by the "parent.")


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

"A noble spirit embiggens the smallest man." - Jebediah Springfield

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: IETF61 DNSEXT Minutes
Next by Date: Fw: I-D ACTION:draft-laurie-dnsext-nsec2v2-00.txt
Previous by thread: IETF61 DNSEXT Minutes
Next by thread: Fw: I-D ACTION:draft-laurie-dnsext-nsec2v2-00.txt
Index(es):
- Date
- Thread