DNS is loosely coherent. DiS does not work when the sources of data are not coherent.
-- Mark Andrews > On 5 Nov 2020, at 19:26, fujiw...@jprs.co.jp wrote: > > >> >> From: Mark Andrews <ma...@isc.org> >>>> One problem with DiS is that assumes that address records in the additional >>>> section *always* come from the delegating zone (see how the hash is >>>> created). >>>> This is not how DNS works. Address records can, correctly, come from other >>>> sources, even when the name is *below* the zone cut. >>>> >>>> Take a server that serves example.net and sub.child.example.net. That A >>>> record >>>> comes from sub.child.example.net not example.net when the name of the >>>> server is >>>> a.sub.example.net. >>>> >>>> child.example.net NS a.sub.example.net >>>> a.sub.example.net A 1.2.3.4 >> I ment >> child.example.net NS a.sub.child.example.net >> a.sub.child.example.net A 1.2.3.4 >> >> (which should have been obvious from the paragraph above) > > Do you mean these 2 lines in example.net zone ? >> child.example.net NS a.sub.child.example.net >> a.sub.child.example.net A 1.2.3.4 > > Then, we can generate DiS RR. > hash ( child.example.net NS | a.sub.child.example.net A). > > DNSSEC validators can get both "child.example.net NS a.sub.child.example.net" > and glue "a.sub.child.example.net A 1.2.3.4", > and validate child.example.net DiS RR. > > -- > Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> > > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop