> From: Mark Andrews <ma...@isc.org> >>> One problem with DiS is that assumes that address records in the additional >>> section *always* come from the delegating zone (see how the hash is >>> created). >>> This is not how DNS works. Address records can, correctly, come from other >>> sources, even when the name is *below* the zone cut. >>> >>> Take a server that serves example.net and sub.child.example.net. That A >>> record >>> comes from sub.child.example.net not example.net when the name of the >>> server is >>> a.sub.example.net. >>> >>> child.example.net NS a.sub.example.net >>> a.sub.example.net A 1.2.3.4 > I ment > child.example.net NS a.sub.child.example.net > a.sub.child.example.net A 1.2.3.4 > > (which should have been obvious from the paragraph above)
Do you mean these 2 lines in example.net zone ? > child.example.net NS a.sub.child.example.net > a.sub.child.example.net A 1.2.3.4 Then, we can generate DiS RR. hash ( child.example.net NS | a.sub.child.example.net A). DNSSEC validators can get both "child.example.net NS a.sub.child.example.net" and glue "a.sub.child.example.net A 1.2.3.4", and validate child.example.net DiS RR. -- Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop