Andrew,
I "attended" (remotely) the behave group Tuesday, and heard your
presentation to dnsop Tuesday as well, and I have to say I'm impressed
with the work your group is doing, even (especially?) the bits I don't
really understand. :)
Andrew Sullivan wrote:
> Dear colleagues,
>
> Despite the
On Thu, Mar 26, 2009 at 12:16:41AM -0700, Doug Barton wrote:
> Here is where the alarm bells go off in my head. From 4035, Section 3.1.6:
> A security-aware name server MUST NOT set the AD bit in a
> response unless the name server considers all RRsets in the
> Answer and Author
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andrew Sullivan wrote:
> So AD doesn't mean "I validated this", but rather "I know this is
> valid". The translating validator _can_ know it's valid: it validated
> the "base" A record, and then performed a translation using the data
> it also has by
Andrew Sullivan wrote:
> On Thu, Mar 26, 2009 at 12:16:41AM -0700, Doug Barton wrote:
>
>> Here is where the alarm bells go off in my head. From 4035, Section 3.1.6:
>> A security-aware name server MUST NOT set the AD bit in a
>> response unless the name server considers all RRsets in t
Greetings!
I gave a presentation at the WG meeting on using DNS for mapping Host
Identifiers to IP addresses, but there was no time for any details or
discussions.
The slides and the draft are avialable at
http://www.ietf.org/proceedings/09mar/slides/dnsop-5.pdf and
http://tools.ietf.org/ht
On Thu, Mar 26, 2009 at 11:50:44AM -0700, Doug Barton wrote:
> > So AD doesn't mean "I validated this", but rather "I know this is
> > valid".
>
> That is a pretty large (and I believe unwarranted) leap in logic.
> There is a world of difference between "I am authoritative for this
> zone" and "
I haven't found the dns64 draft yet, but was involved in the
discussion in 2001 over the AD bit.
A bunch of people, in the past wrote this stuff:
> So AD doesn't mean "I validated this", but rather "I know this is
> valid".
That is correct. The AD bit isn't a statement of how the server
Regarding the original thread, I fully support the opinion of Andrew and
Edward. But regarding the AD bit discussion, I wondered if the following
statement is true for authoritative name servers:
Edward Lewis wrote:
A bunch of people, in the past wrote this stuff:
> So AD doesn't mean "I va
At 1:28 +0100 3/27/09, Holger Zuleger wrote:
So why doesn't an authoritative name server set the AD bit on
answers to queries with the DO flag set?
Good question. Perhaps the authoritative server does not have DNSSEC enabled?
(BIND specific - in recent versions of BIND, since Feb 2007, if
d
In message , Edward Lewis writes:
> At 1:28 +0100 3/27/09, Holger Zuleger wrote:
>
> >So why doesn't an authoritative name server set the AD bit on
> >answers to queries with the DO flag set?
>
> Good question. Perhaps the authoritative server does not have DNSSEC enabled
> ?
>
> (BIND specif
Edward Lewis wrote:
>
> I haven't found the dns64 draft yet, but was involved in the discussion
> in 2001 over the AD bit.
>
> A bunch of people, in the past wrote this stuff:
>
>>> > So AD doesn't mean "I validated this", but rather "I know this is
>>> > valid".
>
> That is correct. The AD
As promised in the meeting this week, I¹m sending this email to the wg
mailing list to ask anybody who is interested to work on the topic to
contact me offline.
- Alain.
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
12 matches
Mail list logo
