[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEC - Signature Only vs the MX/A issue.

To: Mike StJohns <Mike.StJohns@nominum.com>
Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 02 Dec 2006 21:14:18 +0100
Cc: namedroppers@ops.ietf.org
Delivery-date: Sat, 02 Dec 2006 20:20:04 +0000
Envelope-to: namedroppers-data@psg.com

* Mike StJohns:

> Any other ideas in this general topic?

I think this could be addressed in a straightforward manner, keeping
the spirit of SO, if you published a signed bitmap of all permitted
RTYPE/RCLASS combinations for a particular value.

If you wonder if this is worth the additional complexity, it seems to
me that this is less complex than the A/MX heuristics described
earlier in the thread.  At least it's completely deterministic.

There is a significant overhead, of course, compared to SO as
proposed, but less so compared to plain old DNS.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: DNSEXT list policy
Next by Date: Re: DNSSEC - Signature Only vs the MX/A issue.
Previous by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Next by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Index(es):
- Date
- Thread