To:
dnsop@cafax.se
Cc:
lewis@tislabs.com
From:
Edward Lewis <lewis@tislabs.com>
Date:
Tue, 20 Mar 2001 11:11:52 -0500
Sender:
owner-dnsop@cafax.se
Subject:
Questions on draft-ietf-dnsop-parent-sig-00.txt
In this draft, the idea of having the parent publish the parent-over-child signature is proposed, in contrast with rfc 2535's child publishing of the same. This has been studied in the context of a separated parent and child (i.e., not sharing an authoritative name server). My question is how would this work if the two zones shared a server. In old BIND, the contents of a domain name in the parent zone were discarded in preference for contents in the child zone (note, assuming domain name is a delegtion point, etc). This was the reason for the dredded PARENT files. In new BIND, how are the two domain names (parent entry and child entry that is) merged? From the parent comes the NXT and SIG, from the child just about everything else. Could BIND accomodate the loading of two zones that might have data like this? deleg.subzone.test. NS machine1 NS machine2 KEY key bits #1 SIG KEY by subzone.test. NXT deleg2.subzone.test. SIG NXT by subzone.test. and deleg.subzone.test. SOA SIG SOA by deleg NS machine1 NS machine2 NS machine3 SIG NS by deleg KEY key bits #1 SIG KEY by deleg NXT host.deleg SIG NXT by deleg And the result being: deleg.subzone.test. SOA SIG SOA by deleg NS machine1 NS machine2 NS machine3 SIG NS by deleg KEY key bits #1 SIG KEY by deleg SIG KEY by subzone.test. NXT deleg2.subzone.test. SIG NXT by subzone.test. NXT host.deleg SIG NXT by deleg Perhaps there is no need to maintain the "SIG KEY by deleg" and this might make it cleaner. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com Dilbert is an optimist. Opinions expressed are property of my evil twin, not my employer.