To:
Ted.Lindgreen@tednet.nl
Cc:
dnsop@cafax.se, dnssec@nlnetlabs.nl
From:
Edward Lewis <lewis@tislabs.com>
Date:
Fri, 13 Oct 2000 10:27:18 -0400
In-Reply-To:
<200010131349.PAA17610@omval.tednet.nl>
Sender:
owner-dnsop@cafax.se
Subject:
Re: DNSSEC and Parent SIG in Child zone
I think the reason why the SIG(KEY) is assumed to be in the child has to do with reducing the burden on the parent. (Assumed to be - by the specification, that is.) E.g., I did the following queries: dig @A.ROOT-SERVERS.NET. abc.com ns +norec and dig @DNS1.STARWAVE.COM. abc.com ns +norec You notice that the first returns just two NS records (with a long TTL) and the latter returns 5 NS records (and a short TTL). This is okay - the NS set from the child is more credible (RFC 2181) and "overwrites" the glue at the parent. Now, what do we do about the SIG(KEY) and KEY? How does the above relate? First, what happens (or what should happen) when I do a query for KEY from abc.com? Would the parent (.com) just issue a referral (with the KEY in the additional section) or issue the straight answer? What if the signature doesn't fit in the 512 (or EDNS0 enabled larger size) meesage? Second, what if I have the NS set for abc.com and want the KEY. I would issue the request directly to abc.com. If the SIG is only at the parent, how is it received? There aren't "up" pointers in DNS. (Consider that this migh happen lower in the tree, where the parent isn't so well known as .com.) I am asking not in jest, but as a part of wondering about the impact of storing the SIG(KEY) only in the parent. BTW - do the top level delegators want to be storing the KEY's for all of the children zone's? I thought this would be a thing to avoid. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com "It takes years of training to know when to do nothing" - Dogbert Opinions expressed are property of my evil twin, not my employer.