To:
dnsop@cafax.se
Cc:
lewis@tislabs.com
From:
Edward Lewis <lewis@tislabs.com>
Date:
Tue, 20 Mar 2001 11:11:52 -0500
Sender:
owner-dnsop@cafax.se
Subject:
Questions on draft-ietf-dnsop-parent-sig-00.txt
In this draft, the idea of having the parent publish the parent-over-child
signature is proposed, in contrast with rfc 2535's child publishing of the
same.
This has been studied in the context of a separated parent and child (i.e.,
not sharing an authoritative name server).
My question is how would this work if the two zones shared a server. In
old BIND, the contents of a domain name in the parent zone were discarded
in preference for contents in the child zone (note, assuming domain name is
a delegtion point, etc). This was the reason for the dredded PARENT files.
In new BIND, how are the two domain names (parent entry and child entry
that is) merged? From the parent comes the NXT and SIG, from the child
just about everything else. Could BIND accomodate the loading of two zones
that might have data like this?
deleg.subzone.test. NS machine1
NS machine2
KEY key bits #1
SIG KEY by subzone.test.
NXT deleg2.subzone.test.
SIG NXT by subzone.test.
and
deleg.subzone.test. SOA
SIG SOA by deleg
NS machine1
NS machine2
NS machine3
SIG NS by deleg
KEY key bits #1
SIG KEY by deleg
NXT host.deleg
SIG NXT by deleg
And the result being:
deleg.subzone.test. SOA
SIG SOA by deleg
NS machine1
NS machine2
NS machine3
SIG NS by deleg
KEY key bits #1
SIG KEY by deleg
SIG KEY by subzone.test.
NXT deleg2.subzone.test.
SIG NXT by subzone.test.
NXT host.deleg
SIG NXT by deleg
Perhaps there is no need to maintain the "SIG KEY by deleg" and this might
make it cleaner.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis NAI Labs
Phone: +1 443-259-2352 Email: lewis@tislabs.com
Dilbert is an optimist.
Opinions expressed are property of my evil twin, not my employer.