To:
"Stephan Jager" <stephan@nlnetlabs.nl>
Cc:
dnssec@cafax.se, team@nlnetlabs.nl
From:
Edward Lewis <lewis@tislabs.com>
Date:
Thu, 3 May 2001 11:34:08 -0400
Delivery-Date:
Fri May 4 08:43:00 2001
In-Reply-To:
<200105031458.QAA18372@catv8013.extern.kun.nl>
Sender:
owner-dnssec@cafax.se
Subject:
Re: SIG over KEY at parent
What is a 'chaser?' ;) I looked at this some to try to understand the problem. You say that 213.53.69.1 is a secondary, do you mean to imply that 193.0.0.202 is a primary? (I tried to ask for the SOA of nlnetlabs.nl.nl - 193.0.0.202 returns a referral.) Asking 193.0.0.202 for the A record of open.nlnetlabs.nl (an ns of nlnetlabs.nl.nl) returns a REFUSED. At 10:58 AM -0400 5/3/01, Stephan Jager wrote: >Hi, > >I'm working on a chaser for DNSSEC in perl with the extensions Olaf >made. As the chaser can be seen as a stupid resolver with no knowledge >from the outside world, it has a problem getting a SIG over a KEY from a >nameserver its master/secundairy. In stead of the SIG over the parents KEY >I get a self-signed KEY, which is not usefull for chasing. > >For example try this: > >dig KEY +dnssec nlnetlabs.nl.nl @193.0.0.202 >dig KEY +dnssec nlnetlabs.nl.nl @213.53.69.1 > (secundairy for nlnetlabs.nl.nl) > >The first one gives me the SIG with the nl.nl KEY, the 2nd one gives me >the SIG with the nlnetlabs.nl.nl KEY. And yet there is no way for "me >simple chaser" to get the nl.nl SIG when I have only have the wrong >nameserver in the config. > >Yet another reason to not have the zone KEY from the zone in the child, >but only at the parent. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer.