To:
Keith Moore <moore@cs.utk.edu>
cc:
Jim.Bound@nokia.com, seamus@bit-net.com, users@ipv6.org, dnsop@cafax.se, ngtrans@sunroof.eng.sun.com
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Fri, 26 Jan 2001 23:20:39 +0700
In-reply-to:
Your message of "Thu, 25 Jan 2001 09:48:00 EST." <200101251448.JAA16574@astro.cs.utk.edu>
Sender:
owner-dnsop@cafax.se
Subject:
Re: (ngtrans) Re: IPv6 dns
Date: Thu, 25 Jan 2001 09:48:00 -0500
From: Keith Moore <moore@cs.utk.edu>
Message-ID: <200101251448.JAA16574@astro.cs.utk.edu>
| but even if you use A6 with nonzero prefix lengths, how do you verify
| the authenticity of any DNSSEC signed record?
Huh? If it is my name you are looking up, and I have an A6 record
that lists a name in your namespace as providing the upper bits of
the address, then I have just delegated that authority to you. The
SIG on my A6 record will verify that. The regular chain of SIG/NS/KEY
records will verify that the A6 record from your server is authentic,
and the SIG on your A6 will verify its authenticity.
What's the problem here?
It is known that you have the authority about that part of the
address space, because my A6 record (which would have given the
entire address had it been an AAAA record, and could have, even
as an A6 record) says so. At least it says so for the purposes of
this particular address, but that's all that is relevant.
kre