Re: RFC4034 6.2 item 3

[Andrew Sullivan <andrew@ca.afilias.info>]

On Tue, Mar 13, 2007 at 03:35:12PM -0400, Olafur Gudmundsson wrote:

> 1. The gateway field in IPSECKEY is a domain name
>         1.a: Can it be compressed ?

No.

>         1.b: Can its case be changed as the Record passes through the DNS ?

No.

>         1.c: Should the DNSSEC domain name canonical rules be applied
>              to the name before it is signed/verified ?

I don't think so.

>         1.d: Please explain your reasoning

RFC 3597 does not list IPSECKEY in Section 7.  Therefore, any
fiddling with the RDATA is not allowed.
 
> 2. Explain why different rules should apply to NSEC [RFC3845]
>    and/or NSEC3 [RFC-to-be]?

One might argue that the value to DNSSEC of catching such cases is
great enough that the rules in RFC 3597 can be violated.  That seems
like a pretty high bar to jump, though, and would require fairly
extensive discussion by the working group, I think.  I don't see such
discussion in the archive, and in its absence, I can't think of a
reason to apply different rules.
 
> 3. what RFC's needs to be clarified?

It appears that RFC 4034 includes the same list if RRs as RFC 3597
(right down to listing HINFO twice), except that adds RRSIG and NSEC.
That appears to violate the rules in RFC 3597.  So it likely needs
fixing.

A

-- 
Andrew Sullivan                         204-4141 Yonge Street
Afilias Canada                        Toronto, Ontario Canada
<andrew@ca.afilias.info>                              M2P 2A8
jabber: ajsaf@jabber.org                 +1 416 646 3304 x4110

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>