[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: additions to dnssec-bis-updates-04.txt

To: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: additions to dnssec-bis-updates-04.txt
From: Roy Arends <roy@nominet.org.uk>
Date: Tue, 19 Dec 2006 19:52:37 +0100
Cc: namedroppers@ops.ietf.org
Delivery-date: Tue, 19 Dec 2006 19:00:22 +0000
Envelope-to: namedroppers-data@psg.com

Edward Lewis <Ed.Lewis@neustar.biz> wrote on 12/19/2006 06:14:26 PM:

> At 17:38 +0100 12/19/06, Roy Arends wrote:
> 
> >You want to be sure the NSEC record is from the correct zone, lets say
> >"from the zone that has the authority to make that claim", and not from 
an
> >ancestor zone.
> 
> The only time the bit map will give a hint whether the NSEC is right 
> or not is when it is parent/child involved, when the owner name is 
> the same between two NSEC choices.


root: com NSEC edu NS DS
tld:  example.com NSEC lewis.com NS DS 
sld:  www.example.com NSEC example.com A

QNAME is www.example.com

The spoofed response contains: com NSEC edu NS DS

This is obviously from an ancestor (grandpa in this case), not the parent.

This was about terminology, not the rules itself, so I don't see what the 
rest of your response about rules and ways to check, etc, etc has to do 
with my point about terminology.

Roy Arends
Nominet UK

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Re: additions to dnssec-bis-updates-04.txt
Next by Date: Re: additions to dnssec-bis-updates-04.txt
Previous by thread: Re: additions to dnssec-bis-updates-04.txt
Next by thread: Re: additions to dnssec-bis-updates-04.txt
Index(es):
- Date
- Thread