[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DNSSEC - Signature Only vs the MX/A issue.

To: "bert hubert" <bert.hubert@netherlabs.nl>, "David Blacka-CR" <davidb@verisignlabs.com>
Subject: RE: DNSSEC - Signature Only vs the MX/A issue.
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Date: Mon, 4 Dec 2006 17:29:10 -0800
Cc: "Mike StJohns" <Mike.StJohns@nominum.com>, "Paul Vixie" <paul@vix.com>, <namedroppers@ops.ietf.org>
Delivery-date: Tue, 05 Dec 2006 01:34:13 +0000
Envelope-to: namedroppers-data@psg.com
Thread-index: AccX7aMyjWsy0HUxSfC/pIrCnA+iXQABsNKA
Thread-topic: DNSSEC - Signature Only vs the MX/A issue.

Seems to me that this discussion consists of endless demands for further particulars followed by the complaint that the answers to those particulars is too long.

NSEC3 is not at all complex by crypto standards. 

> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org 
> [mailto:owner-namedroppers@ops.ietf.org] On Behalf Of bert hubert
> Sent: Monday, December 04, 2006 4:38 PM
> To: David Blacka-CR
> Cc: Mike StJohns; Paul Vixie; namedroppers@ops.ietf.org
> Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
> 
> On Mon, Dec 04, 2006 at 04:20:50PM -0500, David Blacka wrote:
> > I feel compelled to point out that NSEC3 isn't that complicated to 
> > actually *do*.  If it is complex, it is complex to analyze. 
>  That is, 
> > it can be hard to convince yourself that it works without a bit of 
> > mental stretching.
> 
> It has a 51 page draft, and it details only *non*-existence.
> 
> I am referring to NSEC3 non-existence proofs. Perhaps I 
> missed something, but messages like:
>  
> "In practice, then, we must show an NSEC3 record that 
> encloses the hash of  x.C, one that encloses the hash of *.C, 
> and any RR owned by C (which could  be an NSEC3, in which 
> case it would be owned by the hash of C). A resolver  
> verifying this proof would have to try longer and longer 
> closest enclosers  to determine which was being demonstrated 
> as C, if an NSEC3 is presented.
>  If any other RR was used, then C would be the owner. Once C 
> has been  determined, the resolver can easily check x.C and 
> *.C against the proof."
> 
> http://www.ops.ietf.org/lists/namedroppers/namedroppers.2005/m
> sg00468.html
> 
> .. look rather like I need to solve for a system of 
> constraints within my software.
> 
> But perhaps this applied to a previous draft, of perhaps I am 
> dense (most likely). The mind boggles however at the failure 
> modes implied by the wording quoted above.
> 
> 	Bert
> 
> -- 
> http://www.PowerDNS.com      Open source, database driven DNS 
> Software 
> http://netherlabs.nl              Open and Closed source services
> 
> --
> to unsubscribe send a message to 
> namedroppers-request@ops.ietf.org with the word 'unsubscribe' 
> in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
> 
> 

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Re: DNSSEC - Signature Only vs the MX/A issue.
Next by Date: RE: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
Previous by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Next by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Index(es):
- Date
- Thread