Re: additions to dnssec-bis-updates-04.txt

[Edward Lewis <Ed.Lewis@neustar.biz>]

At 17:38 +0100 12/19/06, Roy Arends wrote:

> You want to be sure the NSEC record is from the correct zone, lets say
> "from the zone that has the authority to make that claim", and not from an
> ancestor zone.

The only time the bit map will give a hint whether the NSEC is right 
or not is when it is parent/child involved, when the owner name is 
the same between two NSEC choices.

It's possible that an NSEC owned by an ancestor label will not have 
any delegation information.

www.foo.bar.example.com - A AAAA NSEC DNSKEY RRSIG
foo.bar.example.com - SOA NS NSEC DNSKEY RRSIG or NS DS NSEC DNSKEY RRSIG
bar.example.com - TXT
example.com - same as foo-bar-...
com - ditto
. - just the second half of the above

Come to think of it, none of the ancestor NSECs would cover the last 
anyway - all of the next names would be at or before the next name 
down.

> I was ranting against the use of the word 'parent' instead of ancestor.
> that is all.

In this case, it would seem that parent is more accurate than ancestor.

Also, keep in mind that the NSEC has to be signed by it's zone - that 
ought to give away the authority of the NSEC.  The only reason the 
bitmap comes up is if you want to avoid having to look at the RRSIG.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Dessert - aka Service Pack 1 for lunch.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>