To:
Keith Moore <moore@cs.utk.edu>
cc:
Jim.Bound@nokia.com, seamus@bit-net.com, users@ipv6.org, dnsop@cafax.se, ngtrans@sunroof.eng.sun.com
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Fri, 26 Jan 2001 23:20:39 +0700
In-reply-to:
Your message of "Thu, 25 Jan 2001 09:48:00 EST." <200101251448.JAA16574@astro.cs.utk.edu>
Sender:
owner-dnsop@cafax.se
Subject:
Re: (ngtrans) Re: IPv6 dns
Date: Thu, 25 Jan 2001 09:48:00 -0500 From: Keith Moore <moore@cs.utk.edu> Message-ID: <200101251448.JAA16574@astro.cs.utk.edu> | but even if you use A6 with nonzero prefix lengths, how do you verify | the authenticity of any DNSSEC signed record? Huh? If it is my name you are looking up, and I have an A6 record that lists a name in your namespace as providing the upper bits of the address, then I have just delegated that authority to you. The SIG on my A6 record will verify that. The regular chain of SIG/NS/KEY records will verify that the A6 record from your server is authentic, and the SIG on your A6 will verify its authenticity. What's the problem here? It is known that you have the authority about that part of the address space, because my A6 record (which would have given the entire address had it been an AAAA record, and could have, even as an A6 record) says so. At least it says so for the purposes of this particular address, but that's all that is relevant. kre