To:
Jim Reid <Jim.Reid@nominum.com>
cc:
Shane Kerr <shane@ripe.net>, Alain Durand <Alain.Durand@sun.com>, ggm@apnic.net, dnsop@cafax.se
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Fri, 28 Jun 2002 21:03:58 +0700
In-Reply-To:
<44341.1025261740@shell.nominum.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: draft-durand-ngtrans-dns-issues-00.txt
Date: Fri, 28 Jun 2002 03:55:40 -0700 From: Jim Reid <Jim.Reid@nominum.com> Message-ID: <44341.1025261740@shell.nominum.com> | Well as someone already said, signing wildcard RRs can't be done | easily (if at all) with DNSSEC. Yes, but even if you're not requiring DNSSEC level of authentication, just doing the "lookup the name and compare the A6 (maybe AAAA) records with the address I started with" trick doesn't work with wildcard PTR records. It is almost possible to make it work with IPv4, by simply giving the name in the wildcard PTR an RRSet that lists every possible address. I suspect that's not going to work real well with IPv6... kre